Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Builder can reduce interest by half by making payments every 1.99 days #61

Closed
code423n4 opened this issue Aug 4, 2022 · 1 comment
Closed

Builder can reduce interest by half by making payments every 1.99 days #61

code423n4 opened this issue Aug 4, 2022 · 1 comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L824-L859

Vulnerability details

Impact

Builder reduces their interest by half

Proof of Concept

https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L685-L686

uint256 _noOfDays = (block.timestamp -
    _communityProject.lastTimestamp) / 86400; // 24*60*60

https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L847

 _communityProject.lastTimestamp = block.timestamp;

In Community.sol#returnToLender, the number of days for accumulating interest is rounded down to the nearest day. Then in Community.sol#claimInterest _communityProject.lastTimestamp is updated to block.timestamp. If a builder were to make a small repayment every 1.99 days, only 1 day worth of interest would accumulate every ~2 days. This would allow them to reduce their total paid interest by half.

This vulnerability cannot be used to avoid interest completely because if the accumulated interest == 0 then Community.sol#claimInterest won't update the timestamp.

Tools Used

Recommended Mitigation Steps

Change L847 to:

_communityProject.lastTimestamp = (block.timestamp / 86400) * 86400;
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 4, 2022
code423n4 added a commit that referenced this issue Aug 4, 2022
@code423n4
0x52 issue #61
d1d48fa
@horsefacts
Copy link

Duplicate of #180

@zgorizzo69 zgorizzo69 added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Aug 12, 2022
@jack-the-pug jack-the-pug added 3 (High Risk) Assets can be stolen/lost/compromised directly duplicate This issue or pull request already exists valid and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Aug 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zgorizzo69 @code423n4 @jack-the-pug @horsefacts