Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Fees contract is hardcoded to only rout through Uniswap v3 0.3% fee pools rather than the pool that gives the best price

BanditSecurity

Summary

In Fees.sol, ISwapRouter only routs through 0.3% fee pools rather than checking the price of all pools resulting in worse trading prices and potentially non-existent pools.

Vulnerability Details

Uniswap v3 has 3 seperate liquidity pools for each token: 0.05% 0.3%, 1%. This would be represented as 500, 3000 or 10000 in the fee: of ISwapRouter.ExactInputSingleParams.

The Fees contract only allows a fee of 3000, which is a problem considering that the fee tokens will come from Staking.sol which may contain illiquid tokens as it is permissionless in regards to which tokens it allows for loans (and these loan tokens are collected as fees). a 1% liquidity pool is the most common for these tokens as a higher liquidity pool is required to compensate LP's for less the increased impermanent loss risk of liquid tokens.

This can lead to either incidental large losses of fees during the transfer due to unnecessarily large slippage through trading through a suboptimal pool,

Or, An attack where:
- The fees contain a token with a liquid WETH-token 1% pool but illiquid or non-existent WETH-token 0.3% pool
- The attacker provides creates (if necessary) and then provides liqudiity in the 0.3% pool.
- The attacker calls _swapProfits() to force the Fees.sol contract to sell tokens through the 0.3% pool for a bad price.
- They withdraw their liquidity, where the WETH would have been converted to the other token.
-They sell the WETH they gained back into the liquid WETH-token 1% pool, or just keep their profits in WETH.

Note that this attack is made even more viable by the fact that ISwapRouter.ExactInputSingleParams sets amountOutMinimum: 0. This is the slippage check parameter, and this essentially means that the fee contract allows unlimited slippage for its Uniswap-V3 trades. It is recommended to use a slippage check to prevent slippage based losses.

Impact

Suboptimal price for trading tokens in Fees contract to WETH
Opens attack paths where (insert token)-WETH 0.3% pool is illiquid by initiating bad trades by the Fees contract.

Tools Used

Manual Review

Recommendations

Select the optimal liquidity pool out of the 3 different fee options Uniswap v3 offers.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!