Platform: Code4rena
Start Date: 03/11/2022
Pot Size: $115,500 USDC
Total HM: 17
Participants: 120
Period: 7 days
Judge: LSDan
Total Solo HM: 1
Id: 174
League: ETH
Rank: 72/120
Findings: 3
Award: $62.23
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xdeadbeef0x
Also found by: 8olidity, Ch_301, HE1M, Koolex, Lambda, Nyx, RedOneN, Ruhum, Tomo, Trust, adriro, aphak5010, ayeslick, berndartmueller, brgltd, carlitox477, cccz, codexploder, d3e4, eierina, eighty, immeas, joestakey, lotux, minhquanym, perseverancesuccess, rbserver, rvierdiiev
8.0811 USDC - $8.08
The receiveTokenOrETH function does not return excess ETH if passed accidentally by the user by calling the addCredit function at LineOfCredit.sol#L237. This can lead to loss for user
function receiveTokenOrETH( address token, address sender, uint256 amount ) external returns (bool) { if(token == address(0)) { revert TransferFailed(); } if(token != Denominations.ETH) { // ERC20 ... } else { // ETH if(msg.value < amount) { revert TransferFailed(); } } return true; }
Return any excess ETH which is passed to receiveTokenOrETH function (in this case return msg.value-amount, if msg.value>amount)
#0 - c4-judge
2022-11-17T11:29:22Z
dmvt marked the issue as duplicate of #25
#1 - c4-judge
2022-12-06T16:28:37Z
dmvt marked the issue as satisfactory
#2 - C4-Staff
2022-12-20T06:44:54Z
liveactionllama marked the issue as duplicate of #39
🌟 Selected for report: __141345__
Also found by: Bnke0x0, Ch_301, Jeiwan, Lambda, Ruhum, aphak5010, ayeslick, cccz, codexploder, everyanykey, hansfriese, ladboy233, minhquanym, pashov, rbserver, rvierdiiev
48.8098 USDC - $48.81
In receiveTokenOrETH function, if token takes fee on transfer then amount received by contract will be lesser than what is being accounted in
function receiveTokenOrETH( address token, address sender, uint256 amount ) external returns (bool) { if(token == address(0)) { revert TransferFailed(); } if(token != Denominations.ETH) { // ERC20 IERC20(token).safeTransferFrom(sender, address(this), amount); } else { // ETH ... } return true; }
In this case if token is a ERC20 token taking fees on transfer then contract will receive amount-fees
Now this function is utilized by addCredit function
function addCredit( uint128 drate, uint128 frate, uint256 amount, address token, address lender ) external payable override whileActive mutualConsent(lender, borrower) returns (bytes32) { LineLib.receiveTokenOrETH(token, lender, amount); bytes32 id = _createCredit(lender, token, amount); ... }
Calculate the balance before and after transfer and then subtract them to get exact amount of token transferred to contract
#0 - c4-judge
2022-11-17T11:29:41Z
dmvt marked the issue as duplicate of #26
#1 - c4-judge
2022-12-06T16:45:51Z
dmvt marked the issue as satisfactory
#2 - C4-Staff
2022-12-20T06:01:34Z
liveactionllama marked the issue as duplicate of #367
🌟 Selected for report: __141345__
Also found by: 0xdeadbeef0x, 8olidity, Amithuddar, Bnke0x0, Ch_301, Deivitto, IllIllI, KingNFT, Nyx, RaymondFam, RedOneN, Satyam_Sharma, SmartSek, Tomo, adriro, bananasboys, carlitox477, cccz, cloudjunky, codexploder, corerouter, cryptonue, d3e4, datapunk, joestakey, martin, merlin, minhquanym, pashov, peanuts, rvierdiiev
5.3388 USDC - $5.34
The transfer function is bounded by 2300 gas units so it might fail if recipient requires more gas unit. A better approach is to make use of call function instead
function sendOutTokenOrETH( address token, address receiver, uint256 amount ) external returns (bool) { ... } else { // ETH payable(receiver).transfer(amount); } return true; }
Use call instead of transfer function
#0 - c4-judge
2022-11-17T11:29:31Z
dmvt marked the issue as duplicate of #14
#1 - c4-judge
2022-12-06T14:52:56Z
dmvt marked the issue as satisfactory
#2 - C4-Staff
2022-12-20T05:56:43Z
liveactionllama marked the issue as duplicate of #369