Platform: Code4rena
Start Date: 03/11/2022
Pot Size: $115,500 USDC
Total HM: 17
Participants: 120
Period: 7 days
Judge: LSDan
Total Solo HM: 1
Id: 174
League: ETH
Rank: 35/120
Findings: 1
Award: $220.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: berndartmueller
Also found by: 0xdeadbeef0x, Jeiwan, R2, ayeslick, minhquanym
220.3469 USDC - $220.35
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L483 https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L34 https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L48
In LineOfCredit._close() you are calling LineLib.sendOutTokenOrETH(). And there if token is ETH, you are using this statement to sent ETH to lender: payable(receiver).transfer(amount);
But if lender is a smart contract with deleted fallback() and receive() functions, the transfer will fail
If LineOfCredit._close() was called from LineOfCredit.depositAndClose(), it will lead to DoS
Because you are sending tokens/ETH to lenders one by one, but the first one may be malicious lender
vs code
If ETH transfer fails, send to user WETH tokens
#0 - c4-judge
2022-11-17T15:48:01Z
dmvt marked the issue as duplicate of #85
#1 - c4-judge
2022-11-17T20:37:46Z
dmvt marked the issue as partial-50
#2 - c4-judge
2022-11-17T20:40:42Z
dmvt changed the severity to 2 (Med Risk)
#3 - C4-Staff
2022-12-20T05:44:39Z
liveactionllama marked the issue as duplicate of #467