Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`SellProfits()` in Fees.sol is prone to front-running attacks

HChang26

Summary

sellProfits() in Fees.sol is prone to front-running attacks

Vulnerability Details

amountOutMinimum in sellProfits() is hardcoded to 0, which means slippage is essentially set 100%. MEV front-running bots is able to pay higher gas fee and protocol will end up with unfavorable trades.

Side note: Not all tokens have a liquidity pool pair with WETH.
Protocol can potentially lose all profits if MEV bots detect a pair that has not yet been deployed or a pool with low liquidity, this could result in extreme price volatility. In addition, sellProfits() is marked as public, makes it easier for attacker to perform swap on behalf of protocol.

Impact

Protocol can lose all profits

Tools Used

Manual Review

Recommendations

Create a separate function to manage amountOutMinimum instead of hardcoding 0.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.