Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Buy loan with pool funds which is own by other user

b353n

Summary

User can buy a loan with pool which is not owned by him.

Vulnerability Details

function buyLoan must to be called with loanId and poolId without check if poolId is owned by msg.sender. As result is transfered loan to user pool which is payed by other user pool.
In function buyLoan missing check if(pools[poolId].lender == msg.sender)
For example:

Alice create pool with 50 DAI
Bob get a loan from Alice pool for 30 DAI
Bob not pay his loan and Alice start auction
Nobody buy a loan on auction
Attacker call buyLoan function with bob loanId and Alice poolId
Attacker is now owner of bob loan which is pay by Alice pool

Impact

User can lose funds due to somebody buy loan with they pool funds

Tools Used

Manual Review

Recommendations

Add check in buyLoan
if (pools[poolId].lender != msg.sender) revert Unauthorized();

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.