New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Borrower/Lender excessive ETH not refunded and permanently locked in protocol #39
Comments
dmvt marked the issue as duplicate of #25 |
dmvt changed the severity to 2 (Med Risk) |
dmvt marked the issue as selected for report |
This has been rated medium because it requires that the borrower or lender send too much ETH in the first place (external factor). Great report quality! |
dmvt marked the issue as satisfactory |
liveactionllama marked the issue as not a duplicate |
liveactionllama marked the issue as primary issue |
LineOfCredit.addCredit
do not return overpaid in ETH amount and do not add it to credit
#25
kibagateaux marked the issue as sponsor confirmed |
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L292
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L315
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L223
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L265
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L71
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L388
Vulnerability details
Impact
The protocol does not refund overpayment of ETH. Excessive ETH is not included in the protocols accounting as a result the funds are permanently locked in the protocol (Loss of funds).
There are multiple scenarios where excessive ETH could be sent by Borrowers and Lenders to the protocol.
The vulnerability effects at least five different scenarios and locks both the lender and borrowers ETH in LineOfCredit if overpaid. There is no way to transfer the locked ETH back to the the users, as the withdraw methods are dependent on accounting (which is not updated with locked ETH).
This vulnerability impacts EscrowedLine, LineOfCredit, SpigotedLine and SecuredLine
Proof of Concept
The bug resides in
receiveTokenOrETH
function when receiving ETH.The function does not handle cases where
msg.value
is larger thanamount
meaning a refund is needed (msg.value
-amount
). In such cases,msg.value
is added to the balance of LineOfCredit although onlyamount
is used in internal accounting. Thus the excessive ETH is permanently locked in the contract as the withdraw methods are dependent on the internal accounting.https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L59
Scenarios where borrowers ETH funds will be locked in LineOfCredit:
depositAndClose
with an ETH value that is above the owed debt.depositAndRepay
with an ETH value that is above the amount specified in the parameters.close
with an ETH value that is above the owed fees.Scenarios where lenders ETH funds will be locked in LineOfCredit:
addCredit
with and ETH value that is greater than theamount
parameter.increaseCredit
with and ETH value that is greater than theamount
parameter.The above scenarios will happen when:
depositeAndClose()
,close(id)
anddepositAndRepay(amount)
as they internally update the fees with the_accrue
method. The amount changes every second because part of the formula that calculates the fees is based on a multiplication of seconds past the previous calculations. In most cases, the caller will not know the amount of interest that will be accrued and must send excessive ETH to not revert the transaction.InterestAccrued = (rate.dRate * drawnBalance * timespan) / INTEREST_DENOMINATOR + (rate.fRate * (facilityBalance - drawnBalance) * timespan) / INTEREST_DENOMINATOR
Where
timespan
istimespan= block.timestamp - rate.lastAccrued
The POC includes four of the mentioned scenarios. To run the POC add the below code to the LineOfCredit.t.sol test and execute
forge test -v
. Expected output:Add the following code to tests:
The POC demonstrates how Borrower and Lender funds get locked in the protocol.
Tools Used
VS Code, Foundry
Recommended Mitigation Steps
Options:
msg.sender
ifmsg.value > amount
if(msg.value < amount)
toif(msg.value != amount)
and revert the transaction.The text was updated successfully, but these errors were encountered: