Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Fees.sol - sellProfits() - Open function - Anyone can swap contracts balance to any token. Anyone can sell tokens

LaScaloneta

Summary

The Fees contract in the provided Solidity code snippet contains an open access vulnerability in the sellProfits method, which could potentially allow any user or contract to swap the contract's balance into any desired token.

Vulnerability Details

The sellProfits method is set as public and without any restrictions or access control mechanisms. This means that any external actor (individuals, contracts) can call this method and initiate a token swap, converting all available _profits tokens to WETH, which could result in unauthorized and possibly malicious transactions.

function sellProfits(address _profits) public {

require(_profits != WETH, "not allowed");

uint256 amount = IERC20(_profits).balanceOf(address(this));

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter

.ExactInputSingleParams({

tokenIn: _profits,

tokenOut: WETH,

fee: 3000,

recipient: address(this),

deadline: block.timestamp,

amountIn: amount,

amountOutMinimum: 0,

sqrtPriceLimitX96: 0

});

amount = swapRouter.exactInputSingle(params);

IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));

}

This method, when called, swaps the _profits token for WETH (Wrapped Ether). The code lacks any mechanism to prevent unauthorized users from executing this function, resulting in a potential vulnerability.

Impact

If exploited, this vulnerability can lead to unauthorized and potentially malicious token swaps, it could allow an attacker to manipulate the contract for their own advantage.

Tools Used

Manual review.

Recommendations

It is highly recommended to incorporate access control mechanisms into the sellProfits method. The OpenZeppelin library provides simple and effective solutions for role-based access control. A modifier that checks if the caller has the appropriate role before executing the function could prevent unauthorized usage. Implementing an onlyOwner or onlyAuthorized modifier could be an effective way to restrict access to this function. Here is a simple example:

modifier onlyOwner {

require(msg.sender == owner, "Caller is not the owner");

}

function sellProfits(address _profits) public onlyOwner {

// existing code

}

The onlyOwner modifier checks that the sender of the transaction is the owner before the execution of the function continues. The owner address could be set at the contract's deployment.

Please note that this is a simple solution and your exact implementation might require more complex access control. For instance, you might want to use OpenZeppelin's AccessControl contract to create more granular roles and permissions.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!