Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

Submission Details

Severity: high

no-revert-on-transfer ERC20 tokens pools can be exploited

A malicious borrower can exploit the pools using no-revert-on-transfer ERC20 tokens

Alice creates a pool of a no-revert-on-transfer ERC20 token (as ZRX or EURS or BAT) and WETH with Lender.setPool()
Eve on her EOA1 borrows the no-revert-on-transfer ERC20 tokens (ZRX or EURS or BAT) of this pool as debt and gives WETH as collateral with Lender.borrow().
Eve changes her account to her EOA2 containing 0 ZRX or EURS or BAT and calls Lender.repay() with the loanIds of the loan taken with her EOA1.
The repay function goes through even if no ZRX or EURS or BAT tokens were transferred to the pool as repayment since these tokens don't throw but just return false when a transfer fails. -> The protocol fees are transferred to the fee receiver and the collateral tokens are transferred back from the pool to Eve and the loans[loanId] is deleted.
Therefore a malicious actor like Eve can successfully drain pools which are using token pairs with one no-revert-on-transfer ERC20 token.

Drain funds from the no-revert-on-transfer ERC20 token pools of the protocol.

Manual review.

Use OpenZeppelin's SafeERC20 library and safeTransferFrom() to handle such tokens.

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

The contest is live. Earn rewards by submitting a finding.

Submissions are being carefully reviewed by our judges.

This is your time to appeal against judgements on your submissions.

Appeals are being carefully reviewed by our judges.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.