BLOCKS_PER_YEAR may be non-determistic for some chains like Optimism, opBNB -> incorrect APR value returned

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L40

Vulnerability details

Impact

calculateAPR will return incorrect and misleading numbers.

Proof of Concept

Some chains like Optimism & opBNB may have non-deterministic block time (so the number of blocks produced in a year may change). This means that the calculateAPR (likely a view function for frontend) -- which relies upon the block time -- may display incorrect numbers, leading to a potentially false advertisement.

Tools Used

Manual Review

Recommended Mitigation Steps

• Avoid using the number of blocks in a year, but rather just interpolate the APR directly from 1 year time.

Assessed type

Other

[0xRobocop]

Consider QA

[c4-pre-sort]

0xRobocop marked the issue as low quality report

[c4-pre-sort]

0xRobocop marked the issue as primary issue

[c4-pre-sort]

0xRobocop marked the issue as high quality report

[c4-pre-sort]

0xRobocop marked the issue as remove high or low quality report

[c4-sponsor]

chechu marked the issue as disagree with severity

[chechu]

Consider QA.

calculateAPR and estimateAPR return values that should be considered estimations. They consider the current situation of the contract, in the current block, but there are a lot of external factors that will affect these estimations. For example, if another user withdraws their XVS, the sum of scores will change and the APR of our user will change.

[c4-sponsor]

chechu (sponsor) confirmed

[c4-judge]

fatherGoose1 changed the severity to QA (Quality Assurance)

[fatherGoose1]

Agree with QA. The functions provide estimations of APR. All APRs across DeFi are estimations that vary often upon changing other underlying factors.

[c4-judge]

fatherGoose1 marked the issue as grade-b