useAndRepay
function can be used to underflow the principal debt of a credit
#336
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-461
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/SpigotedLine.sol#L146
Vulnerability details
The function
useAndRepay
present in the SpigotedLine contract doesn't check that the amount is within the debt limit and can be used by a malicious lender to underflow the principal variable and manipulate the debt of a credit.Impact
A malicious lender can use the
useAndRepay
function to underflow theprincipal
variable of the Credit struct by sending an amount that is greater to the limit of the debt (principal + interests accrued). Once underflowed, this will represent artificial debt generated in the credit.This is possible because the function doesn't check that the amount is within debt limit, and also because the function
CreditLib.repay
uses unchecked math for its calculations, assuming the calling function does the proper checks.This can be used by a bad actor to manipulate the principal amount of his credit and artificially generate debt.
PoC
In the following test, the lender pays off the debt using revenue coming from the Spigot by calculating the sum of principal and interest accrued and offsetting that amount by 1 token more to trigger the conditions. This will underflow the credit and set the principal to max uint.
Note: the context for this test (setup, variables and helper functions) is similar to the one found in the file
SpigotedLine.t.sol
.Recommendation
Validate the
amount
param in theuseAndRepay
function is within the limits of the debt (amount <= credit.principal + credit.interestAccrued
).The text was updated successfully, but these errors were encountered: