Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

WETH tokens can be stolen while claiming rewards

ravikiranweb3

Summary

WETH tokens can be stolen from Staking contract while claiming,because the WETH is transferred to the sender first before updating claimable balance for the sender.

This creates a vulnerability for re-entrancy attack using which the WETH available in the contract can be drained

Vulnerability Details

A smart contract deposits Tokens into the staking contract which will accrue reward tokens over time.
At some point, the rewards accrued can be claimed by the smart contract by calling the claim function on the staking contract.

As the WETH.transfer() is called, the smart contract can listen to fallback or receive function and call claim() on staking contract until most of the WETH is drained.

This is possible because the claimable balance for the smart contract was not updated yet.

Impact

Loss of funds

Tools Used

Manual Review

Recommendations

revise the function as below.

function claim() external {
updateFor(msg.sender);
claimable[msg.sender] = 0;
WETH.transfer(msg.sender, claimable[msg.sender]);
balance = WETH.balanceOf(address(this));
}

use Reentrancy Guard

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.