Platform: Code4rena
Start Date: 03/11/2022
Pot Size: $115,500 USDC
Total HM: 17
Participants: 120
Period: 7 days
Judge: LSDan
Total Solo HM: 1
Id: 174
League: ETH
Rank: 40/120
Findings: 4
Award: $117.29
π Selected for report: 0
π Solo Findings: 0
π Selected for report: 0xdeadbeef0x
Also found by: 8olidity, Ch_301, HE1M, Koolex, Lambda, Nyx, RedOneN, Ruhum, Tomo, Trust, adriro, aphak5010, ayeslick, berndartmueller, brgltd, carlitox477, cccz, codexploder, d3e4, eierina, eighty, immeas, joestakey, lotux, minhquanym, perseverancesuccess, rbserver, rvierdiiev
4.0405 USDC - $4.04
The receiveTokenOrETH() function requires that any ETH value sent by the user is never lower than the "amount" variable. However, the contract does consider the case where the user send a value higher than the requested amount. Since "msg.value" could be different than the requested "amount", user could "loose fund" by sending an "excessive ETH amount". Indeed, most of the functions calling "receiveTokenOrETH()" update state variables based on the "amount" value. eg. "credit.deposit" is incremented with "amount" value and not "msg.value", _createCredit and _repay() are feed with "amount" and not "msg.value"...
see links to affected code.
Manual audit
consider using a more restrictive condition :
if(msg.value != amount) { revert TransferFailed(); }
#0 - c4-judge
2022-11-17T16:24:24Z
dmvt marked the issue as duplicate of #25
#1 - c4-judge
2022-11-17T19:29:23Z
dmvt marked the issue as partial-50
#2 - C4-Staff
2022-12-20T06:44:54Z
liveactionllama marked the issue as duplicate of #39
π Selected for report: __141345__
Also found by: 0xdeadbeef0x, 8olidity, Amithuddar, Bnke0x0, Ch_301, Deivitto, IllIllI, KingNFT, Nyx, RaymondFam, RedOneN, Satyam_Sharma, SmartSek, Tomo, adriro, bananasboys, carlitox477, cccz, cloudjunky, codexploder, corerouter, cryptonue, d3e4, datapunk, joestakey, martin, merlin, minhquanym, pashov, peanuts, rvierdiiev
2.6694 USDC - $2.67
It has been observed that Debt DAO is using the deprecated transfer() function for "ETH" transfers through the "sendOutTokenOrETH()" function.
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
1) The claimer smart contract does not implement a payable function. 2) The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit. 3) The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the callβs gas usage above 2300.
For all these reasons, transfer() it is not recommended to use this function anymore
See link to affected code.
manual audit
I recommend using call() instead of transfer().
#0 - c4-judge
2022-11-17T15:53:23Z
dmvt marked the issue as duplicate of #14
#1 - c4-judge
2022-11-17T19:17:37Z
dmvt marked the issue as partial-50
#2 - c4-judge
2022-12-06T14:42:29Z
dmvt marked the issue as satisfactory
#3 - C4-Staff
2022-12-20T05:56:43Z
liveactionllama marked the issue as duplicate of #369
π Selected for report: IllIllI
Also found by: 0x1f8b, 0xNazgul, 0xRoxas, 0xSmartContract, Awesome, Aymen0909, B2, BClabs, Bnke0x0, Deekshith99, Deivitto, Diana, Dinesh11G, Funen, HE1M, HardlyCodeMan, Josiah, Nyx, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Saintcode_, TomJ, Trust, __141345__, a12jmx, adriro, ajtra, aphak5010, apostle0x01, brgltd, btk, bulej93, c3phas, carlitox477, catwhiskeys, ch0bu, chaduke, chrisdior4, cryptonue, cryptostellar5, csanuragjain, ctf_sec, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, i_got_hacked, immeas, joestakey, jumpdest7d, lukris02, martin, mcwildy, merlin, minhquanym, oyc_109, pashov, peanuts, pedr02b2, rbserver, rotcivegaf, rvierdiiev, sakman, saneryee, seyni, shark, slowmoses, tnevler, trustindistrust, w0Lfrum, yurahod, zaskoh
61.3462 USDC - $61.35
If the intention is for the Ether to be used, the function should call another function, otherwise it should revert (e.g. require(msg.sender == address(weth))). Having no access control on the function means that someone may send Ether to the contract, and have no way to get anything back out, which is a loss of funds.
File : SpigotedLine.sol
SpigotedLine.sol#L272
Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value. Moreover, v0.8.10 has a series of bug. eg. fix constructor source mappings for immutable, fix internal error when function names are not unique, improved error message for constant variables with mapping types ...
Scientific notation should be used for better code readability
File : EscrowLib.sol
EscrowLib.sol#L42
Use (e.g. 1e6) rather than decimal literals (e.g. 1000000), for better code readability
File : InterestRateCredit.sol
InterestRateCredit.sol#L9 InterestRateCredit.sol#L10
Block timestamps have historically been used for a variety of applications, such as entropy for random numbers (see the Entropy Illusion for further details), locking funds for periods of time, and various state-changing conditional statements that are time-dependent. Miners have the ability to adjust timestamps slightly, which can prove to be dangerous if block timestamps are used incorrectly in smart contracts.
File : LineOfCredit.sol
LineOfCredit.sol#L58 LineOfCredit.sol#L132
File : InterestRateCredit.sol
InterestRateCredit.sol#L48 InterestRateCredit.sol#L50 InterestRateCredit.sol#L82
#0 - c4-judge
2022-12-06T23:15:35Z
dmvt marked the issue as grade-b
π Selected for report: IllIllI
Also found by: 0x1f8b, 0xRajkumar, Awesome, Aymen0909, B2, Bnke0x0, Deivitto, Diana, JC, Metatron, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Saintcode_, TomJ, __141345__, ajtra, aphak5010, brgltd, c3phas, ch0bu, chrisdior4, cryptonue, durianSausage, emrekocak, erictee, exolorkistis, gogo, karanctf, lukris02, martin, me_na0mi, oyc_109, peanuts, rotcivegaf, saneryee, seyni, tnevler, zaskoh
49.2315 USDC - $49.23
The unchecked keyword is new in solidity version 0.8.0, so this only applies to that version or higher, which these instances are. This saves around 40 gas per loop.
File : CreditListLib.sol
CreditListLib.sol#L23 CreditListLib.sol#L51
File : EscrowLib.sol
EscrowLib.sol#L57
File : LineOfCredit.sol
LineOfCredit.sol#L179 LineOfCredit.sol#L203 LineOfCredit.sol#L520
When using elements that are smaller than 32 bytes, your contractβs gas usage may be higher. This is because the EVM operates on 32 bytes at a time. Therefore, if the element is smaller than that, the EVM must use more operations in order to reduce the size of the element from 32 bytes to the desired size.
File : SpigotedLineLib.sol
SpigotedLineLib.sol#L13
File : SpigotedLine.sol
SpigotedLine.sol#L60
File : LineFactory.sol
LineFactory.sol#L12 LineFactory.sol#L13 LineFactory.sol#L14
File : SecuredLine.sol
SecuredLine.sol#L21
File : SpigotLib.sol
SpigotLib.sol#L25
Strict inequalities (>) are more expensive than non-strict ones (>=). This is due to some supplementary checks (ISZERO, 3 gas). This also holds true between <= and <.
Various instances across the different contracts.
When a require statement is used multiple times, it is cheaper in deployment costs to use a modifier instead.
File : EscrowLib.sol
require(amount>0); EscrowLib.sol#L91 EscrowLib.sol#L161 EscrowLib.sol#L198
File : LineOfCredit.sol
require(interestrate.setrate(id,drate,frate)); LineOfCredit.sol#L241 LineOfCredit.sol#L259
The code should be refactored such that they no longer exist, or the block should do something useful, such as emitting an event or reverting. If the contract is meant to be extended, the contract should be abstract and the function signatures be added without any default implementation. If the block is an empty if-statement block to avoid doing subsequent checks in the else-if/else conditions, the else-if/else conditions should be nested under the negation of the if-statement, because they involve different classes of checks, which may lead to the introduction of errors when the code is later modified (if(x){}else if(y){...}else{...} => if(!x){if(y){...}else{...}}). Empty receive()/fallback() payable functions that are not used, can be removed to save deployment gas.
File : SpigotedLine.sol
SpigotedLine.sol#L272
Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value.
#0 - c4-judge
2022-11-17T23:03:08Z
dmvt marked the issue as grade-b