New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_sortIntoQ() Wrong sequencing logic may lead to locked funds #281
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-421
satisfactory
Finding meets requirement
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 10, 2022
dmvt marked the issue as duplicate of #69 |
dmvt marked the issue as not a duplicate |
dmvt marked the issue as duplicate of #354 |
dmvt marked the issue as nullified |
c4-judge
added
nullified
Issue is high quality, but not accepted
and removed
duplicate-354
labels
Dec 7, 2022
dmvt marked the issue as not a duplicate |
dmvt marked the issue as duplicate of #421 |
dmvt marked the issue as not nullified |
c4-judge
added
satisfactory
Finding meets requirement
and removed
nullified
Issue is high quality, but not accepted
labels
Dec 8, 2022
dmvt marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-421
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L524
Vulnerability details
Impact
LineOfCredit#_sortIntoQ() moving ID into the next availble FIFO position in the repayment queue,but it can not move when ids[0]=bytes32(0), resulting in the inability to #depositAndClose() and #liquidate(), the amount is locked
Proof of Concept
Steps:
Assume there are two Credits
ids[0]={id:id1,token:tokenA,principal:0}
ids[1]={id:id2,token:tokenB,principal:0}
After #depositAndClose() borrowing and fully repaying for ids[0], the result:
ids[0]={id:id2,token:tokenB,principal:0}
ids[1]={id:0,token:0,principal:0}
afer #addCredit() Add a Credit, which becomes:
ids[0]={id:id2,token:tokenB,principal:0}
ids[1]={id:0,token:0,principal:0}
ids[2]={id:id3,token:tokenC,principal:0}
after #depositAndClose() borrowing and full repayment for ids[0]
ids[0]={id:0,token:0,principal:0}
ids[1]={id:id3,token:tokenC,principal:0}
ids[2]={id:0,token:0,principal:0}
#borrow(ids[1]) Borrow 100 for ids[1], since _sortIntoQ() ignores ids[0]==bytes32(0), resulting ids[0] unchanged
ids[0]={id:0,token:0,principal:0} //****always first ****/
ids[1]={id:id3,token:tokenC,principal:100}
ids[2]={id:0,token:0,principal:0}
After that it will not be possible to #depositAndClose() and #liquidate(), the amount is locked, because modifier whileBorrowing() will revert NotBorrowing();
test example code:
Tools Used
Recommended Mitigation Steps
remove id == bytes32(0)
The text was updated successfully, but these errors were encountered: