Beedle - Oracle free perpetual lending

Summary

The buyLoan function lacks adequate verification to confirm whether the caller owns a pool with tokens before proceeding with the loan purchase. While the function checks the pool's balance to cover the loan and interest, it does not explicitly validate pool ownership. This deficiency can lead to misleading error messages and unauthorized access, allowing non-owners to participate in the loan auction.

Vulnerability Details

The buyLoan function facilitates the purchase of a loan from the original lender during a refinance auction. However, it fails to verify if the caller is the owner of the pool specified by the provided poolId. The function performs a check to ensure the pool has enough tokens to cover the loan, lender interest, and protocol fees, but it overlooks the crucial step of pool ownership verification.

Impact

Unauthorized Access: Non-owners can call the buyLoan function, even if they do not have a valid pool with tokens. This can result in unauthorized participation in the loan auction and potentially manipulate the system's loan purchase process.

Tools Used

Manual

Recommendations

To address this vulnerability, proper pool ownership verification should be incorporated into the buyLoan function. One effective mitigation is to implement a modifier that verifies whether the caller is the owner of the pool specified by the poolId. This can be achieved by checking if the poolId exists in the pools mapping and whether it belongs to the caller's address.

By adding this modifier, the buyLoan function will only execute if the caller is the owner of the specified pool. If the caller does not own the pool or if poolId is an invalid pool identifier, the function will revert with the custom error message "Caller does not own this pool." This ensures that only authorized users with valid pools can participate in the loan purchase process, reducing the risk of unauthorized access and misuse of the function.