Precision Error in getPrice due to Omission of Last Day's Interest

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/rwaOracles/RWADynamicOracle.sol#L81

Vulnerability details

The code attempts to calculate the price based on the interest from the previous day by using range.end - 1. However, if the last day represented by range.end has fully passed, the interest for this day is never taken into account. Over time, these slight omissions can compound, leading to incorrect price information.

Impact

• Accumulative loss of precision: Though the error might appear negligible in isolated instances, over an extended period, the cumulative effect can result in significant discrepancies in the price.
• Any functionalities or contracts relying on the precise price data from this function might behave differently than expected due to the precision error.
• Users or contract participants might be misled by the wrong price information, which can affect their decisions and interactions with the contract.

Proof of Concept

1. Alice sets the range.end to a specific timestamp representing the end of a month.
2. Bob interacts with the contract the day after the month ends, calling the getPrice function. The contract returns a price derived from range.end - 1, thereby excluding the interest of the last day of the month.
3. Over several months, these omissions compound, and when Carol checks the price much later, she receives a value that's off from the expected accurate price due to these accumulated precision errors.

Tools Used

Recommended Mitigation Steps

Introduce a condition to check if range.end is greater than block.timestamp. If so, the function should account for the interest of the full last day instead of subtracting one.

Assessed type

Other

[c4-pre-sort]

raymondfam marked the issue as duplicate of #492

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-judge]

kirk-baird marked the issue as unsatisfactory: Invalid