New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revenue stream split can be bypassed #462
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-119
satisfactory
Finding meets requirement
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 10, 2022
dmvt marked the issue as duplicate of #169 |
dmvt marked the issue as not a duplicate |
dmvt marked the issue as duplicate of #169 |
dmvt marked the issue as not a duplicate |
dmvt marked the issue as duplicate of #70 |
dmvt marked the issue as satisfactory |
liveactionllama marked the issue as duplicate of #119 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-119
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/SpigotLib.sol#L90
Vulnerability details
The
Spigot.claimRevenue
function allows (anyone) to claim revenue tokens from the spigot (push and pull payments) and escrows them for the owner to withdraw later.The revenue is automatically split between the treasury and escrow according to the settings in
SpigotState.settings[revenueContract].ownerSplit
.However, the
SpigotLib.claimRevenue
function does not check whether therevenueContract
is a valid revenue contract address.Impact
Anyone (e.g. the borrower or the
SpigotState.treasury
owner) can callSpigot.claimRevenue
with an arbitraryrevenueContract
address, forcing a revenue stream split of 0% to the escrow and 100% to the treasury.Proof of Concept
modules/spigot/Spigot.sol#L74
utils/SpigotLib.sol#L90
If the Spigot contract receives its revenue via push payments and the
SpigotLib.claimRevenue
function is called with an arbitraryrevenueContract
address, 0% of the revenue stream will be escrowed and **100%**will be immediately transferred to thetreasury
address.Tools Used
Manual review
Recommended mitigation steps
Consider asserting in the
SpigotLib.claimRevenue
function that therevenueContract
address is a valid revenue contract.The text was updated successfully, but these errors were encountered: