Anyone can forge and use yin in interest-free way as long as they repay all debt in the same interval

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-01-opus/blob/main/src/core/shrine.cairo#L845

Vulnerability details

Impact

Charging the interest only happens on interval boundaries, meaning that forging yin essentially is free as long as the debt is repaid in the same inteval. Essentially this behavior can be used to create a multi-block flash mints, where yin is minted, used for some purposes, and returned to the system with no fee.

This is unfair to the other users of the system, who pay interest on their outstanding yin.

This can also be used by the whales to grief the smaller users, always keeping the shrine debt close to the debt ceiling, except for the brief period while the block number advances from interval t to interval t+1. (If the whale is able to ensure their transactions get added to blocks on demand, with priority, them it returning the debt could be the last tx in the block t*INTERVAL, and forging new debt the first tx in the block t*INTERVAL+1, giving other uses no opportunity to forge any yin at all.)

Tools Used

Manual review.

Recommended Mitigation Steps

Either specify a minimum duration of at least one interval before debt can be repaid, or ask the users to always pay some fee even for a sequences of forge and melt called in the same block.

Assessed type

Other

[c4-pre-sort]

bytes032 marked the issue as sufficient quality report

[c4-pre-sort]

bytes032 marked the issue as duplicate of #121

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Overinflated severity