Contest: https://code4rena.com/contests/2022-11-debt-dao-contest
- H-01 Whitelisted functions aren't scoped to revenue contracts and may lead to unnoticed calls due to selector clashing
- H-02 Revenue tokens coming from a particular contract can be claimed with settings from another contract that would benefit a particular party
- H-03 Uninitialized Revenue settings can be used to claim revenue that goes 100% to the treasury
- H-04 Potential DoS in
claimRevenuefunction with ETH token - H-05 Potential DoS in
updateOutstandingDebtfunction in LineOfCredit contract - H-06 Potential DoS in
accrueInterestfunction in LineOfCredit contract - H-07 Mutual consent may lead to ETH deposit lost in
addCreditfunction of LineOfCredit contract - H-08 Mutual consent may lead to ETH deposit lost in
increaseCreditfunction of LineOfCredit contract - H-09 Unprotected access to
depositAndRepayfunction in LineOfCredit contract - H-10 Potential DoS in
borrowfunction in LineOfCredit contract - H-11 Closing a paid credit may lead to incorrectly stepping the queue
- H-12 Potential DoS while repaying debt in LineOfCredit contract
- H-13 Potential DoS when closing a credit nominated in ETH in the LineOfCredit contract
- H-14 Reentrancy attack when closing a credit in the LineOfCredit contract
- H-15 Closing an unexisting credit can overflow the credit count variable in the LineOfCredit contract
- H-16 Line of credit status can be set to REPAID even if having credits with debt
- H-17
useAndRepayfunction can be used to underflow the principal debt of a credit
- M-01 Missing relation between Revenue contract and token in
claimRevenuefunction of Spigot contract - M-02
operatefunction in Spigot can be used to make arbitrary calls on behalf of the Spigot - M-03
LineLib.receiveTokenOrETHcan receive a greater ETH amount than expected - M-04 The
accrueInterestfunction in LineOfCredit contract doesn't check for null/deleted credits - M-05 FIFO repayment invariant isn't technically correct when a credit is re-borrowed
- M-06
closefunction in LineOfCredit can't be called by the lender if credit is in ETH - M-07 Functions that involve a trade in the SpigotedLine contract should link trade output to credit debt