Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

No check for transferFrom() returned value.

ElHaj

Summary

The vulnerability in the lender smart contract arises from the improper handling of tokens with specific ERC20 tokens,
such as ZRX,BAT.. which return false instead of throwing when the transferFrom() function fails. Additionally,
the contract fails to check the return values of the transferFrom() function.
The impact of this vulnerability includes the unauthorized creation of lending pools without providing any tokens as
collateral with any balance. Malicious actors can then drain all the funds in these pools (represented by the token) without providing any tokens.
To address this vulnerability, the contract should implement proper return value checks or use safeTransferFrom() .

Vulnerability Details

Impact

This vulnerability poses a significant risk to the security and integrity of the lending pool system. The scenario involves a malicious lender who takes advantage of certain ERC20 tokens that return false instead of throwing an exception when the transferFrom() function fails. Additionally, the lender contract fails to properly check the return values of the transferFrom() function.

The potential impact of this vulnerability is as follows:

Unauthorized Pool Creation: The malicious lender exploits the vulnerability to create a lending pool without sending any tokens to the pool. As a result, the pool is initialized without the required collateral, which violates the intended functionality of the lending protocol.
Token Drainage: By bypassing the token transfer during pool creation, the malicious lender can drain all the tokens provided by other legitimate pools. Since the pool was initialized without proper collateral, the attacker can exercise their options and withdraw the tokens offered by other lenders without providing any corresponding tokens in return. This action leads to a loss of funds for the legitimate lenders, resulting in financial damages and destabilization of the lending ecosystem.
Loss of User Funds: Users who participate in the affected lending pools may suffer substantial financial losses. The attacker's ability to drain tokens from other pools could result in significant losses for lenders and borrowers who expected the lending pools to operate securely and according to the intended rules.
Reputation Damage: The presence of such a vulnerability can severely damage the reputation and trustworthiness of the lending platform. Users may lose confidence in the platform's security measures, leading to a decreased willingness to use the lending service.

Tools Used

Manuel review.

Recommendations

Check the success boolean of all transferFrom() calls. Alternatively, use openzeppelin SafeERC20’s safeTransferFrom() function.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.