Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

The logic for the `refinance` function is incorrect and will improperly drain funds from lender pools

toshii

Summary

The refinance function does not properly update the poolBalance for the pool which the loan is being refinanced into. More specifically, it decreases the poolbalance by more than it should, which means the lender of that pool will directly lose funds.

Vulnerability Details

The refinance function is defined as follows (here I am only keeping the logic relevant for this bug):

function refinance(Refinance[] calldata refinances) public {
for (uint256 i = 0; i < refinances.length; i++) {
...
bytes32 poolId = refinances[i].poolId;
...
uint256 debt = refinances[i].debt;
...
// now lets deduct our tokens from the new pool
_updatePoolBalance(poolId, pools[poolId].poolBalance - debt); // @ first decrement
pools[poolId].outstandingLoans += debt;
...
// update pool balance
pools[poolId].poolBalance -= debt; // @ second decrement
...
}
}

As you can see, for some amount of debt, which a borrower specifies when they are refinancing a loan, twice that amount is decremented from the poolBalance of the lender pool which they are refinancing into. This is improper logic and will lead to debt amount of loss of funds for the owner of that lender pool.

Impact

Lenders for the pools being refinanced into from the refinance function will directly lose funds

Tools Used

Manual review

Recommendations

Remove the following line of code from the refinance function, L698:

- pools[poolId].poolBalance -= debt;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.