Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing zero address check for setFeeReceiver incurs loss of earnings for protocol

pxng0lin

Summary

Upon initialisation the Lender contract sets the feeReceiver to the msg.sender (owner). However, if the owner then sets the fee receiver again later and its a zero address, this will incur a loss of fees for the protocol when functions are called that include transfer of fees to governance/fee receiver.

Vulnerability Details

If the owner sets the fee receiver to a zero address by mistake in the Lender::setFeeReceiver() function, there is no check against this and the zero address is accepted.

function setFeeReceiver(address _feeReceiver) external onlyOwner {
feeReceiver = _feeReceiver;
}

Then when any of the functions listed are called, any fees that are calculated are transferred to the zero address, resulting in a loss of earnings for the protocol.

Functions

  • borrow()

  • repay()

  • giveLoan()

  • buyLoan()

  • zapBuyLoan()

  • refinance()

Impact

Loss of fees to the governance/fee receiver for transactions made by borrowers and lenders on the protocol.

Tools Used

Manual review, Foundry (test: https://gist.github.com/pxng0lin/f741119a3ead896da6df490599e012ea)

Recommendations

Implement a zero address check using the require function and the != (inequality) operator with address(0).

Example:

function setFeeReceiver(address _feeReceiver) external onlyOwner {
require(_feeReceiver != address(0), "Invalid fee receiver address!");
feeReceiver = _feeReceiver;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!