Expired contracts affect distribution until released

[code423n4]

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L225

Vulnerability details

Impact

In current realisation of the contracts there is no real-time tracking of expired contracts and they could affect other contracts releases. Expired contract can only be released by contract manager. If the process is not automated and expired contracts should be closed manually by users - it could lead to some misscalculations and losses of profit since expired bond will affect ratio until it is released.

Scenario

Step 1 ) Create 2 bonds with close expiration time:

• 1000 eth for 10 days
• 1000 eth for 11 days

Step 2) Make a distribution at day 10 after first bond expired (e.g. 1000 eth)

Step 3) Wait 1 more day to expire second bond and release it while first bond still not released

Expected result:

• owner of the second bond should receive 1000 eth as he was the only one active bond at time of distribution

Actual result:

• owner of the second bond receives 523 eth since first bond wasn't released and ratio wasn't redistributed

Proof of Concept

Here is the small test for proof of concept in the fork repository - https://github.com/ermaniwe/2022-12-tigris/blob/release_test/test/09.Bonds.js#L248 .

Tools Used

hardhat and chai

Recommended Mitigation Steps

probably it would be better to make a redistribution on any release event. Since expired contract can't be extended - it shouldn't affect them

[GalloDaSballo]

    it("Rewards should be received from an expired bond upon release", async function () {
      await stabletoken.connect(owner).mintFor(owner.address, ethers.utils.parseEther("1000"));
      await lock.connect(owner).lock(StableToken.address, ethers.utils.parseEther("1000"), 11);
      await stabletoken.connect(owner).mintFor(user.address, ethers.utils.parseEther("1000"));
      await lock.connect(user).lock(StableToken.address, ethers.utils.parseEther("1000"), 10);

      await network.provider.send("evm_increaseTime", [864000]); // Skip 10 days
      await network.provider.send("evm_mine");

      await stabletoken.connect(owner).mintFor(owner.address, ethers.utils.parseEther("1000"));
      await bond.distribute(stabletoken.address, ethers.utils.parseEther("1000"));

      [,,,,,, expireEpoch,,,,] = await bond.idToBond(2);
      expect(await bond.epoch(stabletoken.address)).to.be.equals(expireEpoch);
      expect(await bond.isExpired(1)).to.be.equals(false);
      expect(await bond.isExpired(2)).to.be.equals(true);

      expect(await bond.pending(1)).to.be.equals("523809523809523809500");
      expect(await bond.pending(2)).to.be.equals("0");
      
      //if expired contract was released - redistribution happens and test passes
      //await lock.connect(user).release(2);

      await network.provider.send("evm_increaseTime", [867600]); // Skip 11 days
      await network.provider.send("evm_mine");
      
      await lock.connect(owner).release(1);
      expect(await stabletoken.balanceOf(owner.address)).to.be.equals("1999999999999999999941"); // 2000 tiUSD after release
    });

[c4-judge]

GalloDaSballo marked the issue as duplicate of #523

[c4-judge]

GalloDaSballo marked the issue as duplicate of #630

[c4-judge]

GalloDaSballo marked the issue as satisfactory