Beedle - Oracle free perpetual lending

Summary

Minimum auction length.

Vulnerability Details

If auction length is set to 1 second on ethereum mainnet which has a 12 second block time. If an auction is started at time T then lenders will be unable to buy the loan on the next block at time T+12 and it will be eligible to be seized. This is due to this check in buyLoan since the auction ends at T+1 the auction is over on the next block. The only opportunity to buy the loan would have to be on the same block as the auction began.

In a permissionless proctocol, malicious lenders could use this setting when creating a new pool to take collateral from borrowers by following these steps

1. Malicious lender creates a pool with an enticingly low interest rate and 2:1 collateral ratio with a 1 second auction length.

2. User takes out a loan on block X providing 2x collateral

3. Malicious lender starts an auction on block X+1

4. Malicious lender calls siezeLaon on block X+2 and keeps the users collateral.

5. Malicious lender creates a pool with an enticingly low interest rate and 2:1 collateral ratio with a 1 second auction length.

6. User takes out a loan on block X providing 2x collateral

7. Malicious lender starts an auction on block X+1

8. Malicious lender calls siezeLaon on block X+2 and keeps the users collateral.

Impact

High

Malicious actors can abuse the parameters of the protocol to effectively steal collateral from users.

Tools Used

Recommendations

Add a MIN_AUCTION_LENGTH with a protocol and block chain appropriate minimum length.

Modify the setPool function to validate this