Borrower debt can be increased to huge number due to overflow error #82
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-461
satisfactory
Finding meets requirement
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/SpigotedLine.sol#L137-L151
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/utils/CreditLib.sol#L168-L195
Vulnerability details
Impact
Borrower debt can be increased due to overflow error. Malicious lender or borrower by mistake can increase debt of borrower to very huge amount.
Proof of Concept
SpigotedLine.useAndRepay
function allows to repay credit using unsued amount of credit tokens that is controlled by SpigotedLine.https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/SpigotedLine.sol#L137-L151
Note, that there is no any check that amount provided by caller is less or equal to credit.principal + credit.interests.
That means that borrower or lender can provide it by mistake or maliciously.
Then function
LineOfCredit._repay
will be called that will just pass amount to theCreditLib.repay
.https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/utils/CreditLib.sol#L168-L195
As you can see this function uses
unchecked
for calculation. That's why in case when the provided value is bigger thancredit.principal + credit.interestAccrued
we will have overflow here.As a result now, users debt became super big, while it should be 0.
How this can be used? First of all by lender. He can call this function and provide needed amount for overflow. But there is one condition that should be met. Unused amount of tokens should be bigger then
credit.principal + credit.interestAccrued
.This is the test that will show how it works. Copy it to SpigotedLine.t.sol.
Tools Used
VsCode
Recommended Mitigation Steps
Do not pass amount that is bigger than
credit.principal + credit.interestAccrued
to_repay
function.The text was updated successfully, but these errors were encountered: