Builder can reduce interest by half by making payments every 1.99 days #61
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L824-L859
Vulnerability details
Impact
Builder reduces their interest by half
Proof of Concept
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L685-L686
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L847
In Community.sol#returnToLender, the number of days for accumulating interest is rounded down to the nearest day. Then in Community.sol#claimInterest _communityProject.lastTimestamp is updated to block.timestamp. If a builder were to make a small repayment every 1.99 days, only 1 day worth of interest would accumulate every ~2 days. This would allow them to reduce their total paid interest by half.
This vulnerability cannot be used to avoid interest completely because if the accumulated interest == 0 then Community.sol#claimInterest won't update the timestamp.
Tools Used
Recommended Mitigation Steps
Change L847 to:
The text was updated successfully, but these errors were encountered: