Tokens with multiple addresses can break protocol invariant
Summary
The Beedle protocol's documentation specifies that a lender can have only one pool per token pair. However, this rule does not take into account tokens that have multiple contract addresses representing the same underlying asset. This issue is known to occur with some ERC20 tokens, such as Synthetix tokens (SNX, sBTC) and the TUSD stablecoin.
Vulnerability Details
The getPoolId function, generates a pool ID by hashing the lender's address, the loan token's address, and the collateral token's address:
If a token has multiple contract addresses, a lender could potentially create multiple lending pools for the same token pair. Each pool would have a unique ID, despite representing the same underlying token pair.
Impact
This issue undermines the protocol's invariant that each lender can have only one lending pool per token pair, and it could lead to unexpected results in various functions.
Tools Used
Manual analysis
Recommendations
Ensure that this does not introduce vulnerabilities or break any functionality.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.