Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-01-ASTARIA-FINDINGS-ISSUES-552
HistoryJan 19, 2023 - 12:00 a.m.

Overflow/Underflow in interest calculation caused by lack of timestamp validation in _getInterest() & _getRemainingInterest() function

2023-01-1900:00:00
Code4rena
github.com
4
interest calculation
timestamp validation
financial loss
manipulation
smart contract
security vulnerability
JSON

Lines of code
<https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/LienToken.sol#L775-L782&gt;

Vulnerability details

Impact

An attacker could manipulate the last timestamp of a lien in the stack struct to cause an underflow or overflow in the interest calculation. This could result in an incorrect interest amount being calculated, which could lead to incorrect payments being made or incorrect amounts of debt being reported. In a worst-case scenario, the impact of this attack is that the attacker can cause a financial loss to the contract owner or other users by manipulating the interest calculation to receive a larger amount of interest than they are actually owed.

Proof of Concept

let’s say again β€œBob” is an attacker, here is a proof of concept example:

1.) Bob creates a malicious smart contract that calls the _getInterest() function with a lien last timestamp that is in the past, for example, block.timestamp - 10…

2.) The smart contract calculates the interest based on the difference between the current block timestamp and the last timestamp of the lien, which is stored in the stack struct. Since the last timestamp is in the past, the difference is negative, causing the interest calculation to underflow and resulting in a very small or even zero interest.

3.) Bob can then use this smart contract to make payments on a lien with a very small or zero interest, effectively stealing from the lien owner.

4.) The lien owner, who is assuming they will be charged interest on the loan, will be at a financial loss as they will not be receiving the expected interest payments.

Tools Used

Manual Review

Recommended Mitigation Steps

    // Check if last timestamp must be in the future
    if (timestamp &lt;= stack.point.last) {
              revert InvalidLastTimeStamp()
    }

    // Check if timestamp must not be in the past 
    if (timestamp &gt; block.timestamp) {
               revert InvalidBlockTimestamp()
    }
        
    uint256 delta_t = stack.point.last - timestamp;
    return (delta_t * stack.lien.details.rate).mulWadDown(stack.point.amount);
}

the same implement can be set into _getRemainingInterest() function

The text was updated successfully, but these errors were encountered:

All reactions

JSON