Closed c4-bot-2 closed 8 months ago
141345 marked the issue as sufficient quality report
no detailed description about loss
QA is more appropriate
Alec1017 (sponsor) acknowledged
Alec1017 marked the issue as disagree with severity
Agree that QA seems appropriate
0xean marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/modules/PaymentEscrow.sol#L159
Vulnerability details
Impact
if it supply arbitrary values for amount, elapsedTime, and totalTime, leading to incorrect calculations in the payment pro-rata distribution. This could result in substantial financial losses for both renters and lenders,
Proof of Concept
In the _calculatePaymentProRata function of contract. The function currently lacks essential validation parameters, such as ensuring the validity of the amount, elapsedTime, and totalTime inputs. This missing validation may allow arbitrary values to be used in the calculation,
https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/modules/PaymentEscrow.sol#L159C4-L179C6
function _settlePaymentProRata( address token, uint256 amount, address lender, address renter, uint256 elapsedTime, uint256 totalTime ) internal { // Calculate the pro-rata payment for renter and lender. (uint256 renterAmount, uint256 lenderAmount) = _calculatePaymentProRata( amount, elapsedTime, totalTime );
Tools Used
Recommended Mitigation Steps
parameter validation checks within the _calculatePaymentProRata function. Ensure that the provided input values are within acceptable ranges and adhere to the expected constraints
Assessed type
Invalid Validation