An attacker could manipulate the last timestamp of a lien in the stack struct to cause an underflow or overflow in the interest calculation. This could result in an incorrect interest amount being calculated, which could lead to incorrect payments being made or incorrect amounts of debt being reported. In a worst-case scenario, the impact of this attack is that the attacker can cause a financial loss to the contract owner or other users by manipulating the interest calculation to receive a larger amount of interest than they are actually owed.
Proof of Concept
let's say again "Bob" is an attacker, here is a proof of concept example:
1.) Bob creates a malicious smart contract that calls the _getInterest() function with a lien last timestamp that is in the past, for example, block.timestamp - 10..
2.) The smart contract calculates the interest based on the difference between the current block timestamp and the last timestamp of the lien, which is stored in the stack struct. Since the last timestamp is in the past, the difference is negative, causing the interest calculation to underflow and resulting in a very small or even zero interest.
3.) Bob can then use this smart contract to make payments on a lien with a very small or zero interest, effectively stealing from the lien owner.
4.) The lien owner, who is assuming they will be charged interest on the loan, will be at a financial loss as they will not be receiving the expected interest payments.
Tools Used
Manual Review
Recommended Mitigation Steps
// Check if last timestamp must be in the future
if (timestamp <= stack.point.last) {
revert InvalidLastTimeStamp()
}
// Check if timestamp must not be in the past
if (timestamp > block.timestamp) {
revert InvalidBlockTimestamp()
}
uint256 delta_t = stack.point.last - timestamp;
return (delta_t * stack.lien.details.rate).mulWadDown(stack.point.amount);
}
the same implement can be set into _getRemainingInterest() function
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/LienToken.sol#L255-L263 https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/LienToken.sol#L775-L782
Vulnerability details
Impact
An attacker could manipulate the last timestamp of a lien in the stack struct to cause an underflow or overflow in the interest calculation. This could result in an incorrect interest amount being calculated, which could lead to incorrect payments being made or incorrect amounts of debt being reported. In a worst-case scenario, the impact of this attack is that the attacker can cause a financial loss to the contract owner or other users by manipulating the interest calculation to receive a larger amount of interest than they are actually owed.
Proof of Concept
let's say again "Bob" is an attacker, here is a proof of concept example:
1.) Bob creates a malicious smart contract that calls the
_getInterest()
function with a lien last timestamp that is in the past, for example,block.timestamp - 10.
.2.) The smart contract calculates the interest based on the difference between the current block timestamp and the last timestamp of the lien, which is stored in the stack struct. Since the last timestamp is in the past, the difference is negative, causing the interest calculation to underflow and resulting in a very small or even zero interest.
3.) Bob can then use this smart contract to make payments on a lien with a very small or zero interest, effectively stealing from the lien owner.
4.) The lien owner, who is assuming they will be charged interest on the loan, will be at a financial loss as they will not be receiving the expected interest payments.
Tools Used
Manual Review
Recommended Mitigation Steps
the same implement can be set into
_getRemainingInterest()
function