Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Lender.sol - malicious lender can front-run big borrows and increase interest

ptsanev

Vulnerability Details

A borrower can get his interest rate increased before his borrow tx goes through, with no way to cancel it, meaning he can lose funds even if he tries to immediately repay. There is the scenario of him not being able to immediately even repay due to miner(staker) manipulation.
Also note that this kind of interest change before borrow can happen accidentally.

Impact

Loss of funds for a borrower due to the potential maliciousness of the lender

Tools Used

Manual Review

Recommendations

Allow the borrower to specify the interest rate at which he wants to borrow as a kind of slippage check.
To mitigate this you can add a parameter to the Borrow struct:

struct Borrow {

/// @notice the pool ID to borrow from

bytes32 poolId;

/// @notice the amount to borrow

uint256 debt;

/// @notice the amount of collateral to put up

uint256 collateral;

+ uint256 interestRate;

}

Then you can add to borrow():
if (pool.interestRate != borrows[i].interestRate) revert PoolConfig();
or
if (pool.interestRate > borrows[i].interestRate) revert PoolConfig();
since a lender can lower the interest, which wouldn't lead to unknown material loss

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!