excess `eth` passed to `LineOfCredit` is stuck #307

code423n4 · 2022-11-10T15:24:29Z

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/master/contracts/utils/LineLib.sol#L71

Vulnerability details

Impact

excess eth sent to LineOfCredit is stuck in the contract. SecuredLine and SpigotedLine both have a sweep that can eventually release the eth. But this kind of applies to them too as it requires the debit to be repaid or only the arbiter can retrieve them.

Proof of Concept

PoC test in LineOfCredit.t.sol

    function test_credit_position_ETH_to_much_sent() public {
        assertEq(address(line).balance, 0, "Line balance should be 0");
        assertEq(lender.balance, mintAmount, "lender should have initial mint balance");
        console.log(lender.balance);
        hoax(borrower);
        line.addCredit(dRate, fRate, 1 ether, Denominations.ETH, lender);

        vm.startPrank(lender);
        line.addCredit{value: 2 ether}(dRate, fRate, 1 ether, Denominations.ETH, lender);
        vm.stopPrank();
        console.log(lender.balance);
        bytes32 id = line.ids(0);
        assert(id != bytes32(0));
        assertEq(address(line).balance, 2 ether, "Line balance should be 1e18");
        assertEq(lender.balance, mintAmount - 2 ether, "Lender should have initial mint balance minus 1e18");

        vm.startPrank(lender);
        // line.withdraw(id,2 ether); fails
        line.withdraw(id,1 ether);
        assertEq(address(line).balance, 1 ether, "Line balance should be 1e18");
        
        // line.withdraw(id,1 ether); fails
        vm.stopPrank();
    }

Tools Used

vscode, forge

Recommended Mitigation Steps

change:

diff --git a/contracts/utils/LineLib.sol b/contracts/utils/LineLib.sol
index fb112cb..62fc7f8 100644
--- a/contracts/utils/LineLib.sol
+++ b/contracts/utils/LineLib.sol
@@ -68,7 +68,7 @@ library LineLib {
         if(token != Denominations.ETH) { // ERC20
             IERC20(token).safeTransferFrom(sender, address(this), amount);
         } else { // ETH
-            if(msg.value < amount) { revert TransferFailed(); }
+            if(msg.value != amount) { revert TransferFailed(); } 
         }
         return true;
     }

There's never any reason to send more eth than stated in amount to the contract.

The text was updated successfully, but these errors were encountered:

c4-judge · 2022-11-17T14:37:30Z

dmvt marked the issue as duplicate of #25

c4-judge · 2022-12-06T15:38:38Z

dmvt marked the issue as satisfactory

C4-Staff · 2022-12-20T06:44:54Z

liveactionllama marked the issue as duplicate of #39

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 10, 2022

code423n4 added a commit that referenced this issue Nov 10, 2022

immeas issue #307

a1ef962

code423n4 added the edited-by-warden label Nov 10, 2022

c4-judge closed this as completed Nov 17, 2022

c4-judge added the duplicate-25 label Nov 17, 2022

c4-judge added the satisfactory Finding meets requirement label Dec 6, 2022

C4-Staff removed the duplicate-25 label Dec 20, 2022

C4-Staff added the duplicate-39 label Dec 20, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

excess `eth` passed to `LineOfCredit` is stuck #307

excess `eth` passed to `LineOfCredit` is stuck #307

code423n4 commented Nov 10, 2022 •

edited

c4-judge commented Nov 17, 2022

c4-judge commented Dec 6, 2022

C4-Staff commented Dec 20, 2022

excess eth passed to LineOfCredit is stuck #307

excess eth passed to LineOfCredit is stuck #307

Comments

code423n4 commented Nov 10, 2022 • edited

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

c4-judge commented Nov 17, 2022

c4-judge commented Dec 6, 2022

C4-Staff commented Dec 20, 2022

excess `eth` passed to `LineOfCredit` is stuck #307

excess `eth` passed to `LineOfCredit` is stuck #307

code423n4 commented Nov 10, 2022 •

edited