Lines of code

Vulnerability details

The code attempts to calculate the price based on the interest from the previous day by using range.end - 1. However, if the last day represented by range.end has fully passed, the interest for this day is never taken into account. Over time, these slight omissions can compound, leading to incorrect price information.

Impact

• Accumulative loss of precision: Though the error might appear negligible in isolated instances, over an
  extended period, the cumulative effect can result in significant discrepancies in the price.
• Any functionalities or contracts relying on the precise price data from this function might behave
  differently than expected due to the precision error.
• Users or contract participants might be misled by the wrong price information, which can affect their
  decisions and interactions with the contract.

Proof of Concept

1. Alice sets the range.end to a specific timestamp representing the end of a month.
2. Bob interacts with the contract the day after the month ends, calling the getPrice function.
   The contract returns a price derived from range.end - 1, thereby excluding the interest of the last day
   of the month.
3. Over several months, these omissions compound, and when Carol checks the price much later, she receives
   a value that’s off from the expected accurate price due to these accumulated precision errors.

Tools Used

Recommended Mitigation Steps

Introduce a condition to check if range.end is greater than block.timestamp. If so, the function should account for the interest of the full last day instead of subtracting one.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions