Skip to content

Latest commit

 

History

History
57 lines (36 loc) · 1.47 KB

020.md

File metadata and controls

57 lines (36 loc) · 1.47 KB
Raw

Happy Rouge Coyote

Medium

The owner of the offer may withdraw more interests than he should

Summary

The _claimDebt function allows a lender to claim the full repayment of a loan if it is fully paid and the interests if there are available. But because of incorrect assignment the interestToClaim is never reset to 0.

Root Cause

In DebitaV3Loan.sol::302 0 is assigned to memory value insted of the actual storage:

    function _claimDebt(uint index) internal {
       infoOfOffers memory offer = m_loan._acceptedOffers[index];
        ...
        uint interest = offer.interestToClaim;
@>      offer.interestToClaim = 0; //@audit changing the memory variable, not the storage variable

        SafeERC20.safeTransfer(
            IERC20(offer.principle),
            msg.sender,
            interest + offer.principleAmount
        );
    }

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The owner of the offer may withdraw more interests than he should.

PoC

No response

Mitigation

Fix the follwoing line:

- offer.interestToClaim = 0;
+ loanData._acceptedOffers[index].interestToClaim = 0;