Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium

loan.auctionLength is not updated in buyLoan() and giveLoan()

sonny2k

Summary

The pool.auctionLength of the new pool that bought the loan is not updated into the loan.auctionLength in giveLoan() and buyLoan()

Vulnerability Details

From line 415 to 420 of giveLoan() https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L415-L420. Everything is updated according to match the new pool configs, however there is a missing update for loans[loanId].auctionLength.

415 // update the loan with the new info
416 loans[loanId].lender = pool.lender;
417 loans[loanId].interestRate = pool.interestRate;
418 loans[loanId].startTimestamp = block.timestamp;
419 loans[loanId].auctionStartTimestamp = type(uint256).max;
420 loans[loanId].debt = totalDebt;

From line 517 to 522 of buyLoan() https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L517-L522. Everything is updated according to match the new pool configs, however there is a missing update for loans[loanId].auctionLength.

517 // update the loan with the new info
518 loans[loanId].lender = msg.sender;
519 loans[loanId].interestRate = pools[poolId].interestRate;
520 loans[loanId].startTimestamp = block.timestamp;
521 loans[loanId].auctionStartTimestamp = type(uint256).max;
522 loans[loanId].debt = totalDebt;

Impact

When calling startAuction(), the loan is still running under the old pool's auctionLength, which cause some inconvenience for the new lender as it doesn't follow his/her pool's configs.

Tools Used

Manual

Recommendations

Add an update for loans[loanId].auctionLength to match with a new pool.

In giveLoan()

415 // update the loan with the new info
416 loans[loanId].lender = pool.lender;
417 loans[loanId].interestRate = pool.interestRate;
418 loans[loanId].startTimestamp = block.timestamp;
419 loans[loanId].auctionStartTimestamp = type(uint256).max;
420 loans[loanId].debt = totalDebt;
+ loans[loanId].auctionLength = pool.auctionLength;

In buyLoan()

517 // update the loan with the new info
518 loans[loanId].lender = msg.sender;
519 loans[loanId].interestRate = pools[poolId].interestRate;
520 loans[loanId].startTimestamp = block.timestamp;
521 loans[loanId].auctionStartTimestamp = type(uint256).max;
522 loans[loanId].debt = totalDebt;
+ loans[loanId].auctionLength = pools[poolId].auctionLength;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.