New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Borrower can craft a borrow that cannot be liquidated, even by arbiter. #421
Comments
dmvt marked the issue as duplicate of #69 |
dmvt marked the issue as not a duplicate |
dmvt marked the issue as duplicate of #354 |
dmvt marked the issue as nullified |
Unclear why this issue is nullified, I have demonstrated a POC that shows line cannot be declared insolvent. |
Kicking back to the sponsor for another look. I'm inclined to bring this one back as valid unless the sponsor can show why it isn't. |
I don't want to delay post-judging QA, so for now I'm going to move forward. This ruling is subject to change pending further comment from the sponsor. |
dmvt marked the issue as not nullified |
dmvt marked the issue as not a duplicate |
dmvt marked the issue as primary issue |
dmvt marked the issue as satisfactory |
dmvt marked the issue as selected for report |
kibagateaux marked the issue as sponsor confirmed |
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L516-L538
Vulnerability details
Description
LineOfCredit manages an array of open credit line identifiers called
ids
. Many interactions with the Line operate on ids[0], which is presumed to be the oldest borrow which has non zero principal. For example, borrowers must first deposit and repay to ids[0] before other credit lines.The list is managed by several functions:
The idea I had is that if we could corrupt the ids array so that ids[0] would be zero, but after it there would be some other active borrows, it would be a very severe situation. The whileBorrowing() modifier assumes if the first element has no principal, borrower is not borrowing.
It turns out there is a simple sequence of calls which allows borrowing while ids[0] is deleted, and does not re-arrange the new borrow into ids[0]!
id == bytes32(0)
is true).From this sequence, we achieve a borrow while ids[0] is 0! Therefore, credits[ids[0]].principal = credits[0].principal = 0, and whileBorrowing() reverts.
The impact is massive - the following functions are disabled:
Impact
Borrower can craft a borrow that cannot be liquidated, even by arbiter. Alternatively, functionality may be completely impaired through no fault of users.
Proof of Concept
Copy the following code into LineOfCredit.t.sol
Tools Used
Manual audit
Recommended Mitigation Steps
When sorting new borrows into the ids queue, do not skip any elements.
The text was updated successfully, but these errors were encountered: