When borrower repays, it can overflow and make them owe 2^256 tokens to lender. #418
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-461
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/SpigotedLine.sol#L146
Vulnerability details
Description
CreditLib's repay() function is the actual accounting of repayments in a LineOfCredit:
Note that the entire function has no overflow protection. It is assumed that the caller of repay() will perform the necessary validation:
require(amount <= credit.principal + credit.interestAccrued);
If this is not the case, the following line will overflow:
credit.principal -= principalPayment;
Unfortunately, there is one instance where amount is not checked, in useAndRepay():
When borrower tries to repay using unusedTokens, if they request a repay amount smaller than the unusedTokens total, but larger than the maximum they owe to lender, it will overflow the principal field. At this point, borrower will owe close to 2^256 tokens to lender.
Note that it is very easy for user to enter a larger amount than currently owed, as interest is ever accruing and they may estimate it to grow faster than it did in practice until the block is executed.
Impact
When borrower repays, it can overflow and make them owe 2^256 tokens to lender.
Proof of Concept
Copy the following code to SpigotedLine.t.sol:
Tools Used
Manual audit
Recommended Mitigation Steps
It is recommended to check for overflow in repay() function, as there is always a risk of introducing threats when adding more calls to repay().
The text was updated successfully, but these errors were encountered: