Community can lose interest because interest was calculated by days instead of seconds #221
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Community.sol#L684-L694
Vulnerability details
Impact
Community's owner lose amount of interest from project (up to half of total interest)
Proof of concept
When builder repay any loan amount by function
repayLender()
(or community call functionlendToProject()
), functionclaimInterest()
in contractCommunity
will be called and then calculate the interest in functionreturnToLender()
It will calculate number of days difference current and last timestamp
Here, the calculation skipped
(block.timestamp - _communityProject.lastTimestamp) % 86400
seconds. The more number of callsrepayLender()
andlendToProject()
, the more time was skipped.After that:
When
_unclaimedInterest
> 0 (means_noOfDays
> 0), variablelastTimestamp
will be updated in functionclaimInterst()
. Then amount of redundant seconds will be accrued (can up to a half of total time).Example scenerio:
Builder will call
repayLender()
(any amount > 0, such as1 wei
) continuously with number of seconds difference is smaller and close to86400 * 2
. After 1 year (365 days), the total interest was calculated by about 183 days, then community's owner has lost almost half of total interest which should be claimed from this project.Tools Used
Manual review
Recommended Mitigation Steps
Should calculate the interest based unit
seconds
instead ofdays
.The text was updated successfully, but these errors were encountered: