Lender or borrower can loose money if mistakenly sends more than the amount of ETH than the amount money #162
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-39
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L265
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L223
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L315
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/utils/LineLib.sol#L71
Vulnerability details
Impact
Lender or borrower can loose money if mistakenly sends more than the amount of ETH than the amount money
In the design of the protocol, the lender can use the function increaseCredit or addCredit to add the deposit money for the credit.
Or the borrower can use the function depositAndRepay to deposit and repay for the credit
All these above functions use the amount as input parameter. So after the borrower and lender reaches agreement on the amount, the lender can call increaseCredit or addCredit.
and the borrower can use depositAndRepay always to repay.
But the function LineLib.receiveTokenOrETH(credit.token, msg.sender, amount) just check if the msg.value < amount.
So in case of using ETH, msg.value can be > amount then the transaction still success. But in this case, the lender or the borrower loose money, because the excessed amount (msg.value - amount) is not tracked anywhere in the protocol.
Proof of Concept
The following scenarios is possible and cause users loose money
Scenario 1:
Step 0: The borrower call addCredit or increaseCredit with amount
Step 1: The lender call addCredit or increaseCredit with amount but the msg.value is > amount
The transaction success. The lender lost some money that is (msg.value - amount).
Scenario 2:
Step 0: The credit was created. the borrower has borrowed some money.
Step 1: The borrower call depositAndRepay and sent the msg.value > amount . Then the borrower lost money (msg.value - amount).
Tools Used
VSCode
Recommended Mitigation Steps
Should check
The text was updated successfully, but these errors were encountered: