Call to declareInsolvent() would revert when contract status reaches liquidation point after repayment of credit position 1 #69
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
edited-by-warden
H-01
primary issue
Highest quality submission among a set of duplicates
satisfactory
Finding meets requirement
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L143
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L83-L86
Vulnerability details
Impact
The modifier
whileBorrowing()
is used along in the call to LineOfCredit.declareInsolvent(). However this check reverts when count == 0 orcredits[ids[0]].principal == 0
. Within the contract, any lender can add credit which adds an entry in credits array, credits[ids].Assume, when borrower chooses lender positions including credits[ids[0]] to draw on, and repays back the loan fully for credits[ids[1]], then the call to declareInsolvent() by the arbiter would revert since it does not pass the
whileBorrowing()
modifier check due to the ids array index shift in the call to stepQ(), which would shift ids[1] to ids[0], thereby making the condition forcredits[ids[0]].principal == 0
be true causing the revert.Proof of Concept
credits[ids[0]].principal == 0
Tools Used
Manual review
Recommended Mitigation Steps
The modifier whileBorrowing() would need to be reviewed and amended.
The text was updated successfully, but these errors were encountered: