Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Updating balance in the case of ERC20 that returns false and doesn't revert

amarfares

Summary

It is possible to update the p.poolBalance in the case of using an ERC20 token that returns false and doesn't revert.

Vulnerability Details

In the function addToPool we first update the pool balance, and after that we transfer the tokens.

_updatePoolBalance(poolId, pools[poolId].poolBalance + amount);

// transfer the loan tokens from the lender to the contract

IERC20(pools[poolId].loanToken).transferFrom(

msg.sender,

address(this),

amount

);

Impact

If the ERC20 token used for the pool is one that doesn't revert but returns false, we have no check to capture if the transfer succeeded or failed. Thus, we are able to escalate this by updating the poolBalance even though we do not transfer the tokens, which leads to both accounting issues and loss of funds for the contract once the maliciously updated balance is used with the removeFromPool function, or even another function, e.g. buyLoan.

Tools Used

Manual Review

Recommendations

Either implement a whitelist of allowed ERC20 tokens to be used that always revert on failure, or use require(success, "transfer failed"); check.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!