Beedle - Oracle free perpetual lending

Summary

The borrow() function allows users to create a loan, which subsequently gets added to the loans array. The original design intended for a loan to be removed from the array when either seizeLoan or repayLoan is called. However, the current implementation uses the delete keyword, which only sets loans[loanId] to the default value of zero, leaving the loan in the loans array. If a large number of loans are created, this could cause transactions to revert, making loans impossible to repay.

Vulnerability Details

A user's collateral could be permanently locked in the contract. The repay transaction would revert when called if the array length is too large due to the gas needing to iterate being greater than the block gas limit. This would render loan repayment impossible, causing a DOS. The lender would also be left without a means to liquidate the owner if another lender doesn't buy the loan, as invoking seizeLoan would also revert and cause a DOS.

Impact

This would stop loans from being able to be seized. Meaning a buyer would not run the risk of being liquidated. A user wouldn't have a way to repay their loan since the transaction would always revert and cause a DOS and the lender wouldn't have a method of liquidating the owner if another lender doesn't buy the loan, as calling seizeLoan would also revert and cause a DOS. This would leave a user's collateral forever locked in a contract.

Tools Used

This issue was identified through a manual review of the code.

Recommendations

To address this issue, I recommend modifying the way elements are removed from the array. Instead of using delete, consider using the pop() function. This will effectively remove the element from the array, preventing the array from growing indefinitely and mitigating the potential risks outlined above.