Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

`Fees` contract cannot handle WETH

Bobface

Summary

The Fees contract cannot handle WETH, resulting in WETH being stuck permanently in the contract.

Vulnerability Details

The Fees contract sells accumulated protocol fees on Uniswap V3. Since the protocol is designed to work with all ERC-20 based tokens, this could (and likely will) also include WETH. However, the Fees contract cannot handle WETH, as its only method, sellProfits, reverts when calling it with WETH:

function sellProfits(address _profits) public {

require(_profits != WETH, "not allowed");

// ...

}

Impact

WETH fees earned by the protocol via borrowing or liquidations are permanently stuck in the Fees contract.

Tools Used

None

Recommendations

When sellProfits is called with WETH, simply transfer them directly to the staking contract:

function sellProfits(address _profits) public {

if(_profits == WETH) {

IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)))

return;

}

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.