Lender can cause unlimited debt due to underflow #93
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-461
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/SpigotedLine.sol#L137
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/CreditLib.sol#L186
Vulnerability details
Impact
The lender and borrower can both call the function
SpigotedLine.useAndRepay
(https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/SpigotedLine.sol#L137) and specify anamount
that is used to repay the debt.The lender can call this function with an
amount > credit.interestAccrued + credit.principal
. This will cause an Underflow in theCreditLib.repay
function (https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/CreditLib.sol#L186).Practically, this means that if a SpigotedLine is used, the lender can cause the debt for the borrower to be so big that it could never be repaid (
principal
is auint256
).So the borrower will get liquidated and lose access to the revenue contracts and all the assets will be used to pay the lenders.
Proof of Concept
I used the following test and added it to
SpigotedLine.t.sol
.It will cause an underflow in the
credit.principal
.After the exploitation,
credit.principal
will be115792089237316195423570985008687907853269984665640564039457584007913129639935
.Tools Used
VSCode
Recommended Mitigation Steps
Limit the debt that is repaid to
credit.interestAccrued
+credit.principal
as you do in theSpigotedLine.claimAndRepay
function (https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/SpigotedLine.sol#L115-L118).The text was updated successfully, but these errors were encountered: