Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call to declareInsolvent() would revert when contract status reaches liquidation point after repayment of credit position 1 #69

Open
code423n4 opened this issue Nov 5, 2022 · 5 comments
Open

Call to declareInsolvent() would revert when contract status reaches liquidation point after repayment of credit position 1 #69

code423n4 opened this issue Nov 5, 2022 · 5 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden H-01 primary issue Highest quality submission among a set of duplicates satisfactory Finding meets requirement selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

code423n4 commented Nov 5, 2022
edited

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L143
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L83-L86

Vulnerability details

Impact

The modifier whileBorrowing() is used along in the call to LineOfCredit.declareInsolvent(). However this check reverts when count == 0 or credits[ids[0]].principal == 0 . Within the contract, any lender can add credit which adds an entry in credits array, credits[ids].

Assume, when borrower chooses lender positions including credits[ids[0]] to draw on, and repays back the loan fully for credits[ids[1]], then the call to declareInsolvent() by the arbiter would revert since it does not pass the whileBorrowing() modifier check due to the ids array index shift in the call to stepQ(), which would shift ids[1] to ids[0], thereby making the condition for credits[ids[0]].principal == 0 be true causing the revert.

Proof of Concept

  1. LineOfCredit contract is set up and 5 lenders have deposited into the contract.
  2. Alice, the borrower borrows credit from these 5 credit positions including by calling LineOfCredit.borrow() for the position ids.
  3. Later Alice pays back the loan for credit position id 1 just before the contract gets liquidated
  4. At the point where ids.stepQ() is called in _repay(), position 1 is moved to ids[0]
  5. When contract status is LIQUIDATABLE, no loan drawn on credit position 0 and arbiter calls declareInsolvent() , the call would revert since credits[ids[0]].principal == 0

Tools Used

Manual review

Recommended Mitigation Steps

The modifier whileBorrowing() would need to be reviewed and amended.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 5, 2022
code423n4 added a commit that referenced this issue Nov 5, 2022
@code423n4
cryptphi issue #69
7ff0bce
@code423n4 code423n4 changed the title Call to declareInsolvent() would revert when first added credit principal is 0. Call to declareInsolvent() would revert when contract status reaches liquidation point after repayment of credit position 1 Nov 5, 2022
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Nov 15, 2022
@c4-judge
Copy link
Contributor

dmvt marked the issue as primary issue

This was referenced Nov 15, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Open
@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Nov 17, 2022
@c4-judge
Copy link
Contributor

dmvt marked the issue as selected for report

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Nov 17, 2022
@c4-judge
Copy link
Contributor

dmvt changed the severity to 3 (High Risk)

@c4-judge c4-judge mentioned this issue Nov 17, 2022
Closed
@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Nov 30, 2022
@c4-sponsor
Copy link

kibagateaux marked the issue as sponsor confirmed

@c4-judge
Copy link
Contributor

c4-judge commented Dec 6, 2022

dmvt marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory Finding meets requirement label Dec 6, 2022
@C4-Staff C4-Staff added the H-01 label Dec 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden H-01 primary issue Highest quality submission among a set of duplicates satisfactory Finding meets requirement selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @c4-judge @c4-sponsor @C4-Staff