Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Lack of Slippage Control in sellProfits function

0xCiphky

Summary

The sellProfits function in the Fees contract is employed to swap tokens earned from liquidations and fees to WETH. This operation is performed via the swapExactInputSingle function in the Uniswap v3 router, which exchanges a fixed quantity of one token for the maximum possible amount of another token. The issue arises due to the amountOutMinimum parameter being hardcoded to 0, which leaves the swap susceptible to front-running attacks that could result in a loss of protocol funds.

Vulnerability Details

An attacker could potentially exploit this vulnerability in the following way:

The attacker identifies a sellProfits transaction for a substantial amount in the mempool.
The attacker then proceeds to sandwich the Uniswap swap, which could cause a significant loss of funds for the protocol due to the absence of slippage control.

The code snippet of the vulnerable function:

/// @notice swap loan tokens for collateral tokens from liquidations

/// @param _profits the token to swap for WETH

function sellProfits(address _profits) public {

require(_profits != WETH, "not allowed");

uint256 amount = IERC20(_profits).balanceOf(address(this));

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter.ExactInputSingleParams({

tokenIn: _profits,

tokenOut: WETH,

fee: 3000,

recipient: address(this),

deadline: block.timestamp,

amountIn: amount,

amountOutMinimum: 0,

sqrtPriceLimitX96: 0

});

amount = swapRouter.exactInputSingle(params);

IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));

}

Impact

A front-running attack could potentially lead to a significant loss of protocol funds.

Tools Used

Manual analysis

Recommendations

Implement slippage control for the sellProfits function by setting a reasonable value for amountOutMinimum rather than hardcoding it to 0. This would limit the potential price impact of large swaps.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.