Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`Fees.sellProfits` can be executed by anyone at any time and Uniswap `exactInputSingle` is executed with constant values. It could lead to fund loss.

stermi

Summary

The Fees contract is a contract that converts an arbitrary token _profits for WETH and transfers the output amount to the staking contract.

There are two main problems that could lead to profit loss:

The sellProfits function can be called by anyone at anytime. A malicious user, even if the function is correctly configured, could call the function when the swap is not favorable, leading to a loss.
The ExactInputSingleParams input parameter used swapRouter.exactInputSingle has some constant parameters that could lead to profit loss

Vulnerability Details

The Fees contract is a contract that converts an arbitrary token _profits for WETH and transfers the output amount to the staking contract.

There are two main problems:

The sellProfits function can be called by anyone at anytime. A malicious user, even if the function is correctly configured, could call the function when the swap is not favorable, leading to a loss.
The ExactInputSingleParams input parameter used swapRouter.exactInputSingle has some constant parameters that could lead to profit loss
1. Uniswap v3 has three different fee tiers and based on the fee chosen the swap will happen on a different pool that could have low liquidity if the wrong fee tier has been chosen.
2. amountOutMinimum is set to zero as a hard-coded constant. As Uniswap docs suggest: "For a real deployment, this value should be calculated using our SDK or an onchain price oracle - this helps protect against getting an unusually bad price for a trade due to a front running sandwich or another type of price manipulation"
3. sqrtPriceLimitX96 is set to zero as a hard-coded constant. Passing zero as a value set the parameter as "inactive". As Uniswap docs suggest: "In production, this value can be used to set the limit for the price the swap will push the pool to, which can help protect against price impact or for setting up logic in a variety of price-relevant mechanisms."

Impact

sellProfits could lead to profit loss if called at the wrong time and with the wrong configuration.

Tools Used

Manual

Recommendations

sellProfits should be callable only by authorized users when the swap is profitable
ExactInputSingleParams should be properly configured to avoid profit loss

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.