Platform: Code4rena
Start Date: 03/11/2022
Pot Size: $115,500 USDC
Total HM: 17
Participants: 120
Period: 7 days
Judge: LSDan
Total Solo HM: 1
Id: 174
League: ETH
Rank: 110/120
Findings: 2
Award: $40.83
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: __141345__
Also found by: 0xSmartContract, 0xbepresent, Tomo, aphak5010, bin2chen, cloudjunky, datapunk, eierina, joestakey, rbserver
35.4853 USDC - $35.49
receiveTokenOrETH() receives funds. However, there is code path within the function that does not require Ether. Ether passed to the function, when the non-Ether code path is taken, is locked in the contract forever, and the sender gets nothing extra in return for it.
If ETH is provided for a ERC20 credit line, it would not be accounted for, thus lost forever to the user. msg.value shouldn’t be provided here:
if(token != Denominations.ETH) { // ERC20 @audit add require(msg.value==0); IERC20(token).safeTransferFrom(sender, address(this), amount); }
VSCode
Add a require(0 == msg.value) for the above three conditions.
#0 - c4-judge
2022-11-17T15:47:26Z
dmvt marked the issue as duplicate of #25
#1 - c4-judge
2022-11-17T19:30:40Z
dmvt marked the issue as partial-25
#2 - c4-judge
2022-12-06T15:13:10Z
dmvt marked the issue as not a duplicate
#3 - c4-judge
2022-12-06T15:13:18Z
dmvt marked the issue as duplicate of #89
#4 - c4-judge
2022-12-06T17:42:25Z
dmvt marked the issue as partial-25
#5 - C4-Staff
2022-12-20T06:05:46Z
liveactionllama marked the issue as duplicate of #355
🌟 Selected for report: __141345__
Also found by: 0xdeadbeef0x, 8olidity, Amithuddar, Bnke0x0, Ch_301, Deivitto, IllIllI, KingNFT, Nyx, RaymondFam, RedOneN, Satyam_Sharma, SmartSek, Tomo, adriro, bananasboys, carlitox477, cccz, cloudjunky, codexploder, corerouter, cryptonue, d3e4, datapunk, joestakey, martin, merlin, minhquanym, pashov, peanuts, rvierdiiev
5.3388 USDC - $5.34
The use of payable.transfer() is heavily frowned upon because it can lead to the locking of funds. The transfer() call requires that the recipient has a payable callback, only provides 2300 gas for its operation. This means the following cases can cause the transfer to fail:
The contract does not have a payable callback The contract’s payable callback spends more than 2300 gas (which is only enough to emit something) The contract is called through a proxy which itself uses up the 2300 gas If a user falls into one of the above categories, they’ll be unable to receive funds from the vault in a migration wrapper. Inaccessible funds means loss of funds, which is Medium severity.
payable(receiver).transfer(amount);
in https://github.com/debtdao/Line-of-Credit/blob/6987988fe39901cad9a8e5ebb2c6aa719590873d/contracts/utils/LineLib.sol#L48
Use address.call{value:x}() instead.
#0 - c4-judge
2022-11-17T15:47:40Z
dmvt marked the issue as duplicate of #14
#1 - c4-judge
2022-11-17T19:18:10Z
dmvt marked the issue as partial-50
#2 - c4-judge
2022-12-06T14:43:20Z
dmvt marked the issue as full credit
#3 - c4-judge
2022-12-06T14:43:24Z
dmvt marked the issue as satisfactory
#4 - C4-Staff
2022-12-20T05:56:43Z
liveactionllama marked the issue as duplicate of #369