New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BondNFT#extendLock force a user to extend the bond at least for current bond.period #359
Comments
Definitely worth flagging |
It does work as expected. users can't extend Bonds past 365 days. |
TriHaz marked the issue as sponsor disputed |
Did you notice that: The extension was done for 8 days, not 3 days. Moreover, here another example more critical:
The max bond time constraint of 365 was bypassed |
@TriHaz This looks valid, specifically:
Meaning that an extension will potentially reduce the shares (as duration is lower), but the actual duration will be longer. |
The warden has shown that the mechanic for extending locks can cause lock duration to be longer than intended, while rewards math will behave as inputted by the user. While an argument for this being a user mistake could be made, I believe that in this case the demonstrated logic flaw takes precedence, that's because a user interacting with the system as intended will still be locked for longer than intended and receive less rewards for that mistake. For this reason (conditionality, logic flaw, no loss of principal) I believe Medium Severity to be appropriate |
GalloDaSballo marked the issue as selected for report |
Mitigation: code-423n4/2022-12-tigris#2 (comment) |
GainsGoblin marked the issue as sponsor confirmed |
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L97-L125
Vulnerability details
Description
The current implementation forces a user to extend their bonds for at least they current bond period. These mean that, for instance, a bond which was initially locked for 365 can never be extended, even after a week of being created.
If we consider that a bond should have at least a 7 days lock and at the most 365 days, then the current
BondNFT.extendLock
function should be refactored.Impact
BondNFT.extendLock
function does not work as expected, forcing user who want to extend their bond to extend them at least for their current bond.period.POC
Mitigation steps
In order to
extendLock
to work properly, the current implementation should be changed to:The text was updated successfully, but these errors were encountered: