Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: gas

Lenders Cannot Track LoanIDs for Loans Created Using Lenders' PoolIDs

0xanjan143

Summary

context: lender.sol

Loans are created using pools set up by lenders. However, lenders do not have information about which loans belong to
their specific poolID. Consequently, lenders face difficulties when calling functions like lender.giveLoan() because
they need to provide loanIDs as parameters, but they don't know those loan IDs.

Vulnerability Details

There is no vulnerability in the code; this issue pertains to information management.

Proof Of Concept:

Alice is a lender who creates a pool.

Borrowers take loans from Alice's pool, resulting in loan IDs such as 1, 19, 10, 30, 50, etc.

Now, Alice wants to transfer some loans to another lender to retrieve her tokens, but she doesn't know the specific loan
IDs associated with her pool.

Impact

Alice(Lender) is unable to identify which loan IDs belong to her pool ID.

Tools Used

Manual Inspection

Recommendations

To address this issue, when a lender creates a pool struct, a loanIds array should be included inside the pool struct.
Whenever a loanID is created using a particular pool ID, it should be pushed into the corresponding pool's loanId array.

struct Pool {
/// @notice address of the lender
address lender;
/// @notice address of the loan token
address loanToken;
/// @notice address of the collateral token
address collateralToken;
/// @notice the minimum size of the loan (to prevent griefing)
uint256 minLoanSize;
/// @notice the maximum size of the loan (also equal to the balance of the lender)
uint256 poolBalance;
/// @notice the max ratio of loanToken/collateralToken (multiplied by 10**18)
uint256 maxLoanRatio;
/// @notice the length of a refinance auction
uint256 auctionLength;
/// @notice the interest rate per year in BIPs
uint256 interestRate;
/// @notice the outstanding loans this pool has
uint256 outstandingLoans;
/// @notice number of loan Id's
uint256[] loanIds;
}

By implementing this fix, lenders can access their entire struct using their byte32 pool ID, enabling them to track the
loans associated with their pool more effectively.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!