Repaying a line of credit with a higher than necessary claimed revenue amount will force the borrower into liquidation #461
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-06
primary issue
Highest quality submission among a set of duplicates
satisfactory
Finding meets requirement
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/CreditLib.sol#L186
Vulnerability details
A borrower can repay (parts) of a credit line with the
SpigotedLine.useAndRepay
function. This function will useamount
ofunusedTokens[credit.token]
as a repayment. However, ifamount
exceeds the principal and the accrued interest,credit.principal
will underflow without an error and set the principal value to a very large number.This a problem because a borrower can unknowingly provide a larger than necessary
amount
to theSpigotedLine.useAndRepay
function to make sure enough funds are used to fully repay the principal and the remaining interest.Additionally, a lender can do the same thing as the lender can call this function.
Impact
The
credit.principal
underflows without an error and will be set to a very large number. This will force a secured line immediately into liquidation. Additionally, having a principal value close to2^256 - 1
will make it hugely expensive to repay the credit line.Proof of Concept
utils/CreditLib.sol#L186
To demonstrate the issue, copy the following test case and paste it into the
SpigotedLine.t.sol
test file. Then runforge test --match-test "test_lender_use_and_repay_underflow"
.Following scenario causes the repayment to underflow:
1 ether
ofrevenueToken
2 ether
worth ofrevenueToken
is claimed and traded from the revenue contract2 ether
) to repay the line of credit (=1 ether
)credit.principal
underflows due toprincipalPayment
is larger thancredit.principal
Tools Used
Manual review
Recommended mitigation steps
Consider asserting
amount
is less or equal thancredit.principal + credit.interestAccrued
(require(amount <= credit.principal + credit.interestAccrued);
). Similar as how it is done inLineOfCredit.depositAndRepay()
The text was updated successfully, but these errors were encountered: