Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Fee on transfer tokens

khegeman

Summary

Decide if fee on transfer tokens are allowed

Vulnerability Details

The README does not say that fee on transfer tokens are not allowed. If these tokens are allowed to be used in the protocol, then the contract needs to be modified to handle them correctly. ERC20 balanceOf needs to be used before and after the transfers. Here is an example of how borrow can get the actual number of collateral tokens transferred to the contract and then update the loan accordingly.

uint256 balanceBefore = IERC20(pool.collateralToken).balanceOf(address(this));
IERC20(pool.collateralToken).transferFrom(
msg.sender,
address(this),
collateral
);
uint256 actualCollateral = IERC20(pool.collateralToken).balanceOf(address(this)) - balanceBefore;
Loan memory loan = Loan({
lender: pool.lender,
borrower: msg.sender,
loanToken: pool.loanToken,
collateralToken: pool.collateralToken,
debt: debt,
collateral: actualCollateral,
interestRate: pool.interestRate,
startTimestamp: block.timestamp,
auctionStartTimestamp: type(uint256).max,
auctionLength: pool.auctionLength
});

Impact

High if it's intended to allow any ERC20 token to be used in the protocol.

Tools Used

Recommendations

Right now , there is no token white list or any other way to restrict what tokens a user can create a pool with, so these tokens will enter the protocol as they are numerous. From reading the paper, it seems like there is a desire to keep governance to a minimum. So having a governance process to manage an allowed token white list seems like it doesn't fit with the protocols goals. In conclusion, I think that the contract needs to be changed to use balanceOf before and after each transfer to find the actual number of tokens received.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!