In Vault.sol:repayDebt(), when a higher amount than the _debt is being sent, the function executes its else statement which can decrease totalDebt by more than it should.
Here, a target is can repay back in excess. While more money seem nice, this might stop future users from repaying their debts as totalDebt -= _debt; could get below 0 and revert the transaction due to an underflow (totalDebt is of type uint256, not int)
Tools Used
VS Code
Recommended Mitigation Steps
Either do not allow for more repayment than the debt, or considerer making totalDebt an int
Withdrawn by warden Dravee: "There's no issue (I must've misread totalDebt -= _amount; instead of totalDebt -= _debt;. Thank you for deleting that submission."
Handle
Dravee
Vulnerability details
Impact
DOS
Proof of Concept
In
Vault.sol:repayDebt()
, when a higheramount
than the_debt
is being sent, the function executes itselse
statement which can decreasetotalDebt
by more than it should.Here, a target is can repay back in excess. While more money seem nice, this might stop future users from repaying their debts as
totalDebt -= _debt;
could get below 0 and revert the transaction due to an underflow (totalDebt
is of typeuint256
, notint
)Tools Used
VS Code
Recommended Mitigation Steps
Either do not allow for more repayment than the debt, or considerer making
totalDebt
anint