Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Arithmetic Overflow and Underflow in seizeLoan Function

daniel526

Summary

The seizeLoan function in the smart contract allows anyone to seize a loan after a failed refinance auction. However, the function is susceptible to arithmetic overflow and underflow issues during the calculation and deduction of the govFee. This vulnerability could result in incorrect fee calculations and improper transfers of collateral tokens.

Vulnerability Details

The vulnerable code snippet is as follows:

uint256 govFee = (borrowerFee * loan.collateral) / 10000;

IERC20(loan.collateralToken).transfer(feeReceiver, govFee);

IERC20(loan.collateralToken).transfer(loan.lender, loan.collateral - govFee);

The vulnerability arises from the calculation of govFee, which multiplies the borrowerFee with the loan.collateral and then divides the result by 10000. If the value of borrowerFee exceeds 10000, an arithmetic overflow may occur during the multiplication, leading to an incorrect govFee. Subsequently, when this incorrect value is subtracted from loan.collateral, an arithmetic underflow can happen.

Impact

The arithmetic overflow and underflow can cause severe issues during the execution of the seizeLoan function. Incorrectly calculated govFee may result in an unintended transfer of collateral tokens, potentially leading to a loss of funds or disrupting the system's intended behavior.

Tools Used

Manual

Recommendations

To address this vulnerability, the contract should perform input validation to ensure that borrowerFee is within a valid range of 0 to 10000. Additionally, the contract should use SafeMath or a similar library to handle arithmetic operations safely, preventing potential overflow and underflow scenarios.

// Import the SafeMath library

import "@openzeppelin/contracts/utils/math/SafeMath.sol";

// In your contract, declare SafeMath

using SafeMath for uint256;

// Modify the function to use SafeMath

function seizeLoan(uint256[] calldata loanIds) public {

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

// ... (other parts of the code)

// Calculate the govFee using SafeMath

uint256 govFee = borrowerFee.mul(loan.collateral).div(10000);

// ... (rest of the code)

}

Severity:
The severity of this vulnerability can be considered as High.

Explanation:
The vulnerability in the seizeLoan function could result in arithmetic overflow and underflow, potentially leading to unintended transfers of collateral tokens. Depending on the values involved, this could have significant consequences, such as loss of funds, improper functioning of the system, or unexpected behavior in token transfers.

Moreover, as this function can be called by anyone, there is a possibility of malicious actors exploiting the vulnerability to manipulate fee calculations and token transfers to their advantage.

Given the potential for financial loss and disruption of the system's intended behavior, this vulnerability should be addressed urgently with proper input validation and SafeMath implementation to ensure secure and correct execution of the seizeLoan function.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.