Possible reentrancy for tokens with callbacks/hooks
Summary
The Beedle contract contains multiple functions that make several external calls, potentially allowing for a reentrancy attack.
Vulnerability Details
Consider the following sequence of actions:
User A sets up a lending pool.
User B borrows from User A's lending pool.
User A attempts to seize the loan, which is not claimed in an auction.
In this context, the seizeLoan function contains multiple external calls and only deletes the loan at the end of the function:
During the execution of the seizeLoan function, User A could potentially reenter the giveLoan function if the conditions are right (for example, if the lender matches). This reentrancy would be possible because the loan is still considered valid until it is deleted at the end of the seizeLoan function.
Subsequently, User A gives the loan away and their loan token balances are updated. This results in User A receiving both loan tokens and collateral tokens for the same loan, leading to an imbalance in the protocol's accounting.
The seizeloan call finishes and the loan gets deleted losing the lender who was given the loan funds
User A has now received loan tokens and collateral tokens for the same loan
Impact
This reentrancy vulnerability could have a high impact, leading to a loss of funds for the protocol and users as well as an imbalance in the protocol's accounting. Depending on the specific circumstances and the extent of the reentrancy, this vulnerability could potentially render the protocol insolvent.
Tools Used
Manual analysis
Recommendations
To mitigate this vulnerability, we recommend adding reentrancy protections to functions that make external calls. One common solution is to use a reentrancy guard, such as the one provided by the OpenZeppelin library.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.