Contest: https://code4rena.com/contests/2022-11-debt-dao-contest
- H-01 Whitelisted functions aren't scoped to revenue contracts and may lead to unnoticed calls due to selector clashing
- H-02 Revenue tokens coming from a particular contract can be claimed with settings from another contract that would benefit a particular party
- H-03 Uninitialized Revenue settings can be used to claim revenue that goes 100% to the treasury
- H-04 Potential DoS in
claimRevenue
function with ETH token - H-05 Potential DoS in
updateOutstandingDebt
function in LineOfCredit contract - H-06 Potential DoS in
accrueInterest
function in LineOfCredit contract - H-07 Mutual consent may lead to ETH deposit lost in
addCredit
function of LineOfCredit contract - H-08 Mutual consent may lead to ETH deposit lost in
increaseCredit
function of LineOfCredit contract - H-09 Unprotected access to
depositAndRepay
function in LineOfCredit contract - H-10 Potential DoS in
borrow
function in LineOfCredit contract - H-11 Closing a paid credit may lead to incorrectly stepping the queue
- H-12 Potential DoS while repaying debt in LineOfCredit contract
- H-13 Potential DoS when closing a credit nominated in ETH in the LineOfCredit contract
- H-14 Reentrancy attack when closing a credit in the LineOfCredit contract
- H-15 Closing an unexisting credit can overflow the credit count variable in the LineOfCredit contract
- H-16 Line of credit status can be set to REPAID even if having credits with debt
- H-17
useAndRepay
function can be used to underflow the principal debt of a credit
- M-01 Missing relation between Revenue contract and token in
claimRevenue
function of Spigot contract - M-02
operate
function in Spigot can be used to make arbitrary calls on behalf of the Spigot - M-03
LineLib.receiveTokenOrETH
can receive a greater ETH amount than expected - M-04 The
accrueInterest
function in LineOfCredit contract doesn't check for null/deleted credits - M-05 FIFO repayment invariant isn't technically correct when a credit is re-borrowed
- M-06
close
function in LineOfCredit can't be called by the lender if credit is in ETH - M-07 Functions that involve a trade in the SpigotedLine contract should link trade output to credit debt