Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Inconsistent balance when tokens with fee on transfer are used

0xCiphky

Summary

The Beedle contract assumes that the amount of tokens inputted matches the amount received. However, this assumption may not hold true when dealing with tokens that impose a fee on transfers. This discrepancy between the amount received and the amount accounted for could lead to a loss of funds for all parties interacting with the protocol.

Vulnerability Details

Let's illustrate this with an example:

Consider a scenario where a lending pool is set up with a loan token that imposes a fee on transfers.

When the addToPool function is called, the amount of tokens accounted for will be more than the actual tokens received by the protocol due to the transfer fee.

function addToPool(bytes32 poolId, uint256 amount) external {

if (pools[poolId].lender != msg.sender) revert Unauthorized();

if (amount == 0) revert PoolConfig();

_updatePoolBalance(poolId, pools[poolId].poolBalance + amount);

// transfer the loan tokens from the lender to the contract

IERC20(pools[poolId].loanToken).transferFrom(msg.sender, address(this), amount);

}

Later, when the removeFromPool function is called, the protocol will transfer out the full accounted amount.

function removeFromPool(bytes32 poolId, uint256 amount) external {

if (pools[poolId].lender != msg.sender) revert Unauthorized();

if (amount == 0) revert PoolConfig();

_updatePoolBalance(poolId, pools[poolId].poolBalance - amount);

// transfer the loan tokens from the contract to the lender

IERC20(pools[poolId].loanToken).transfer(msg.sender, amount);

}

Impact

If the protocol receives fewer tokens due to a transfer fee but later sends out the full accounted amount, it will effectively lose the amount of the transfer fee. In a high-volume environment or with large-value transactions, this could lead to substantial losses over time.

Tools Used

Manual analysis

Recommendations

To mitigate this vulnerability, we recommend checking the balance before and after each transfer to accurately account for any transfer fees. This could be done by comparing the balance of the contract before and after the transferFrom call, and then updating the accounted balance based on the actual change in balance, rather than the input amount.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.