Arbitrary call order to handle mutual consent can lead to unrecoverable native ETH #471
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-125
satisfactory
Finding meets requirement
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/MutualConsent.sol#L31-L36
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L234
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L270
Vulnerability details
Creating new credits and increasing the credit deposit requires both parties, the lender and the borrower, to agree. This is implemented by having both call the same function with the same call data.
However, as it's possible to use native ETH as a credit token, this can lead to a situation where the lender is the first to call the function and sends native ETH with it. The function is not executed at this time, as the borrower has not yet called the function. The already transferred native ETH is now locked and unrecoverable.
Impact
If the lender is the first to call the
LineOfCredit.addCredit
orLineOfCredit.increaseCredit
functions, native ETH transferred with the call will be locked as the function is only executed after the second and final signer has called the function.Proof of Concept
utils/MutualConsent.sol#L31-L36
The
MutualConsent.mutualConsent
modifier only allows the function to be called in case both signers have called the function with the same call data.modules/credit/LineOfCredit.sol#L234
The
LineOfCredit.addCredit
function uses themutualConsent
modifier to add a new credit. Native ETH can be sent to the function as the deposit. However, if the lender is the first caller of the function and sends native ETH, the function will not be executed due to the missing second call of the borrower. ETH funds will be unrecoverable.modules/credit/LineOfCredit.sol#L270
Similarly, the
LineOfCredit.increaseCredit
function uses the.LineOfCreditmutualConsentById
modifier (which internally uses theMutualConsent.mutualConsent
modifier). The same issue with native-sent ETH applies. If the lender is the first caller of the function and sends native ETH, the function will not be executed due to the missing second call of the borrower. ETH funds will be unrecoverable.Tools Used
Manual review
Recommended mitigation steps
Consider enforcing the function call order to ensure that the party providing the native ETH funds is the second and last caller of the function.
The text was updated successfully, but these errors were encountered: