Debt DAO contest - bananasboys's results

A cryptonative credit marketplace for fully anon and trustless loans to DAOs.

General Information

Platform: Code4rena

Start Date: 03/11/2022

Pot Size: $115,500 USDC

Total HM: 17

Participants: 120

Period: 7 days

Judge: LSDan

Total Solo HM: 1

Id: 174

League: ETH

Debt DAO

Findings Distribution

Researcher Performance

Rank: 117/120

Findings: 1

Award: $5.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Debt DAO

Findings Information

🌟 Selected for report: __141345__

Also found by: 0xdeadbeef0x, 8olidity, Amithuddar, Bnke0x0, Ch_301, Deivitto, IllIllI, KingNFT, Nyx, RaymondFam, RedOneN, Satyam_Sharma, SmartSek, Tomo, adriro, bananasboys, carlitox477, cccz, cloudjunky, codexploder, corerouter, cryptonue, d3e4, datapunk, joestakey, martin, merlin, minhquanym, pashov, peanuts, rvierdiiev

Awards

5.3388 USDC - $5.34

Labels

bug

2 (Med Risk)

satisfactory

duplicate-369

External Links

Link to GitHub issue

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/utils/LineLib.sol#L48

Vulnerability details

Impact

Potential impossibility to work with smart contracts wallets or any kind of contract with custom logic in the fallback function.

The usage of the transfer function for ETH transfers is not recommended, because it reverts on failure and it only forwards a gas stipend of 2300 gas units. If the recipient is an EOA is not a problem. However, the recipient could be any sort of contract (such as multisig or a smart contract wallet) with custom logic within the fallback function that could spend more than the given gas stipend, making the call fail.

Steps to reproduce

Create a contract with custom logic that spends more than 2300 gas units to the fallback function.
Use the contract to interact with the contract to lend/borrow ETH.
The execution will revert when a transfer of ETH occurs.

Recommended Mitigation Steps

Two alternatives:

Use the low-level call function. Solidity docs: https://docs.soliditylang.org/en/v0.8.17/security-considerations.html?highlight=call%20ether#sending-and-receiving-ether)
Use the openzeppelin Address library. Function to use: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Address.sol#L60

#0 - c4-judge
2022-11-17T16:23:00Z

dmvt marked the issue as duplicate of #14

#1 - c4-judge
2022-12-06T14:40:41Z

dmvt marked the issue as satisfactory

#2 - C4-Staff
2022-12-20T05:56:43Z

liveactionllama marked the issue as duplicate of #369

Debt DAO contest - bananasboys's results

A cryptonative credit marketplace for fully anon and trustless loans to DAOs.

General Information

Findings Distribution

Researcher Performance

External Links

[M-10] Potential inability to work with non-EOA accounts when ETH is used as asset - $5.34

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Steps to reproduce

Recommended Mitigation Steps

#0 - c4-judge2022-11-17T16:23:00Z

#1 - c4-judge2022-12-06T14:40:41Z

#2 - C4-Staff2022-12-20T05:56:43Z

#0 - c4-judge
2022-11-17T16:23:00Z

#1 - c4-judge
2022-12-06T14:40:41Z

#2 - C4-Staff
2022-12-20T05:56:43Z