Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Inconsistent Balances

leasowillow

Summary

When buying a loan in another pool, it is not checked whether the tokens of the previous and new pools match.

Vulnerability Details

In the buyLoan function it is not checked if the new pool (poolId) has the same pair of loan and collateral tokens as the old pool.

Impact

This will change the numbers of the mismatched token balances, which means that the actual token balances on the contract will not match the stored pool balances. Balances will be damaged and landers will withdraw and borrow tokens from other landers, and real token owners will not be able to withdraw their own tokens. This opens a window for manipulation and allows an attacker to steal tokens from the contract.

Tools Used

Manual Review

Recommendations

Verify if the tokens of the previous and new pools match in the buyLoan function.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.