Expired contracts affect distribution until released #123
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-630
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L225
Vulnerability details
Impact
In current realisation of the contracts there is no real-time tracking of expired contracts and they could affect other contracts releases. Expired contract can only be released by contract manager. If the process is not automated and expired contracts should be closed manually by users - it could lead to some misscalculations and losses of profit since expired bond will affect ratio until it is released.
Scenario
Step 1 ) Create 2 bonds with close expiration time:
Step 2) Make a distribution at day 10 after first bond expired (e.g. 1000 eth)
Step 3) Wait 1 more day to expire second bond and release it while first bond still not released
Expected result:
Actual result:
Proof of Concept
Here is the small test for proof of concept in the fork repository - https://github.com/ermaniwe/2022-12-tigris/blob/release_test/test/09.Bonds.js#L248 .
Tools Used
hardhat and chai
Recommended Mitigation Steps
probably it would be better to make a redistribution on any release event. Since expired contract can't be extended - it shouldn't affect them
The text was updated successfully, but these errors were encountered: