New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
receiveTokenOrETH()
MAY LOCK ETHER SENT TO THE CONTRACT, FOREVER
#388
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-355
partial-25
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Nov 10, 2022
dmvt marked the issue as duplicate of #25 |
dmvt marked the issue as partial-25 |
dmvt marked the issue as not a duplicate |
dmvt marked the issue as duplicate of #89 |
dmvt marked the issue as partial-25 |
liveactionllama marked the issue as duplicate of #355 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-355
partial-25
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/6987988fe39901cad9a8e5ebb2c6aa719590873d/contracts/utils/LineLib.sol#L59
Vulnerability details
Impact
receiveTokenOrETH()
receives funds. However, there is code path within the function that does not require Ether. Ether passed to the function, when the non-Ether code path is taken, is locked in the contract forever, and the sender gets nothing extra in return for it.Proof of Concept
If ETH is provided for a ERC20 credit line, it would not be accounted for, thus lost forever to the user. msg.value shouldn’t be provided here:
Tools Used
VSCode
Recommended Mitigation Steps
Add a require(0 == msg.value) for the above three conditions.
The text was updated successfully, but these errors were encountered: