Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Deposits to `Lender.sol` won't work correctly with fee-on transfers tokens

0xbepresent

Summary

The Lender.sol contract won't work correctly with fee-on transfer tokens.

Vulnerability Details

Fee-on transfer tokens can charge a certain fee in every transfer() or transferFrom() functions.

The problem is that the code does not control correctly the amount deposited to the Lender.sol contract. E.g. the addPool() function helps to the lender to add tokens to lender's pool, if the lender is using a fee-on transfer loanToken, the Lender contract will end up with less tokens than the amount value, so the update pool balance _updatePoolBalance(poolId, pools[poolId].poolBalance + amount); will not be the correct amount.

File: Lender.sol
182: function addToPool(bytes32 poolId, uint256 amount) external {
183: if (pools[poolId].lender != msg.sender) revert Unauthorized();
184: if (amount == 0) revert PoolConfig();
185: _updatePoolBalance(poolId, pools[poolId].poolBalance + amount);
186: // transfer the loan tokens from the lender to the contract
187: IERC20(pools[poolId].loanToken).transferFrom(
188: msg.sender,
189: address(this),
190: amount
191: );
192: }

Impact

The Lender contract will end up with less token amount when users use fee-on transfer tokens.

Tools used

Manual review

Recommendations

Measure the balance before and after the transfer actions and update the correct pool balance amount. Another option is the restriction of allowed tokens in the Lender.sol contract.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.