Debt DAO contest - ayeslick's results

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L143

Vulnerability details

Impact

One way for this to work, a borrower becomes his own lender and borrows from himself before he borrows from another lender. This makes him the first lender so he has to be repaid before the other lenders. The whileBorrowing modifier allows a given function to run when only when count != 0 || credits[ids[0]].principal != 0. A borrower is able to take out a loan from himself and then repay it, satisfying this requirement, credits[ids[0]].principal == 0, in the whileBorrowing modifier.

A borrower can prevent an arbiter from calling declareInsolvent by becoming his own lender before borrowing from other lenders. Then the borrower repays himself but doesn't call the close function. The borrower doesn't repay the other lenders. The arbiter tries to call declareInsolvent but will be unable to since the whileBorrowing modifier will revert the transaction. It reverts the transaction because credits[ids[0]].principal == 0 since the borrower is the first lender.

Proof of Concept

borrower becomes his own lender by calling the addCredit function and passing in an address he controls as a lender. borrower borrows from himself first then the other lenders. borrower repays himself but doesn't call the close function. borrower doesn't repay the other lenders Arbiter gets involved and calls the declareInsolvent function but the function will revert due to the whileBorrowing modifier.

Recommended Mitigation Steps

When the first lender is made whole the loan for that lender should automatically close.

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/utils/LineLib.sol#L71

Vulnerability details

Impact

If a lender or borrower sends in more ETH than the amount they specified, that ETH is not refunded to them.

Proof of Concept

Borrower calls the depositAndRepay function Borrower specifies 1 ETH in the amount but sends 1.5 ETH The 1 ETH is used to repay his loan while 0.5 ETH isn't accounted for

Recommended Mitigation Steps

require(amount == msg.value) for ETH transfers

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/utils/LineLib.sol#L69

Vulnerability details

Impact

If a lender and borrower agree to use a fee-on-transfer token, the recorded in the contract will be different than the amount received.

Proof of Concept

lender transfers tokens via the addCredit function. lender specifies 1000 Tokens The contract receives 950 tokens but records 1000 tokens received

Recommended Mitigation Steps

Check the balance of the contract before and after a transfer using the difference.

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/modules/credit/LineOfCredit.sol#L488

Vulnerability details

Impact

If a lender rejects the ETH transfer when a borrower calls the close function, the borrower will be unable to close their loan with that lender which could lead to liquidation. It also prevents other lenders who provided loans after the lender from being repaid since repayments are on a FIFO basis.

Proof of Concept

borrower borrows from malicious lender borrower borrows from other lenders borrower repays malicious lender borrower calls close function ETH is sent to the malicious lenders` contract which rejects the ETH causing the transaction to revert

Recommended Mitigation Steps

If an ETH transfer fails wrap it to WETH then send it to the lender.