Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

lender can startAuction at anytime

twcctop

Summary

lender can startAuction at anytime

Vulnerability Details

function startAuction(uint256[] calldata loanIds) public {

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

// get the loan info

Loan memory loan = loans[loanId];

// validate the loan

if (msg.sender != loan.lender) revert Unauthorized();

if (loan.auctionStartTimestamp != type(uint256).max)

revert AuctionStarted();

// set the auction start timestamp

loans[loanId].auctionStartTimestamp = block.timestamp;

emit AuctionStart(

loan.borrower,

loan.lender,

loanId,

loan.debt,

loan.collateral,

block.timestamp,

loan.auctionLength

);

}

it seems that lender can start auction at anytime,without any limitaion,which is very unfair to borrower.Because the protocol is oracleless, it doesn't work like other lending protocols to quote canliquidate, but the start of borrower's asset liquidation should have some limitation, or else it could be very unfair to borrower

Impact

borrow could lose his collateral at any time

Tools Used

manual

Recommendations

Because dept goes up with time, I think recalcute loanRatio before start liquidation is a good way

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.