Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

Submission Details

Severity: high

Valid

Incompatible with Fee-on-transfer ERC20 tokens

The contract is incompatible with fee-on-transfer ERC20 tokens. The poolBalance is recorded incorrectly.

The contract will track the incorrect poolBalance as the added amount to both will be always more than what was actually deposited.
When withdrawing (repay, refinance) from the contract, the user will receive less token amount than what they should receive.
The protocol will receive less fee than accounted.
Tokens cannot be withdrawn as there will be fewer tokens than stated in the poolBalance.
When the token balance would be insufficient after stating incorrect poolBalance. The pool would then use another pool's token balance as it is considered valid because the poolBalance still has balance in it.

Manual Review.

The only thing the protocol can control is during the credit transfer to the contract. The fee during withdrawal by the user cannot be controlled.

So, either disallow the use of fee tokens or limit the consequences of the fee token by following the given steps:

Add a beforeTransferBalance and track the balance of the contract before the token transfer.
Transfer the token.
Add a afterTransferBalance and track the new balance of the contract.
uint256 transferAmount = afterTransferBalance - beforeTransferBalance.
Update the pool balance. _updatePoolBalance(poolId, pools[poolId].poolBalance + transferAmount).

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

The contest is live. Earn rewards by submitting a finding.

Submissions are being carefully reviewed by our judges.

This is your time to appeal against judgements on your submissions.

Appeals are being carefully reviewed by our judges.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.