Lack of Validation Parameters in _calculatePaymentProRata Function

[c4-bot-2]

Lines of code

https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/modules/PaymentEscrow.sol#L159

Vulnerability details

Impact

if it supply arbitrary values for amount, elapsedTime, and totalTime, leading to incorrect calculations in the payment pro-rata distribution. This could result in substantial financial losses for both renters and lenders,

Proof of Concept

In the _calculatePaymentProRata function of contract. The function currently lacks essential validation parameters, such as ensuring the validity of the amount, elapsedTime, and totalTime inputs. This missing validation may allow arbitrary values to be used in the calculation,

https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/modules/PaymentEscrow.sol#L159C4-L179C6

function _settlePaymentProRata( address token, uint256 amount, address lender, address renter, uint256 elapsedTime, uint256 totalTime ) internal { // Calculate the pro-rata payment for renter and lender. (uint256 renterAmount, uint256 lenderAmount) = _calculatePaymentProRata( amount, elapsedTime, totalTime );

    // Send the lender portion of the payment.
    _safeTransfer(token, lender, lenderAmount);

    // Send the renter portion of the payment.
    _safeTransfer(token, renter, renterAmount);
} 

Tools Used

Recommended Mitigation Steps

parameter validation checks within the _calculatePaymentProRata function. Ensure that the provided input values are within acceptable ranges and adhere to the expected constraints

Assessed type

Invalid Validation

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[141345]

no detailed description about loss

QA is more appropriate

[c4-sponsor]

Alec1017 (sponsor) acknowledged

[c4-sponsor]

Alec1017 marked the issue as disagree with severity

[Alec1017]

Agree that QA seems appropriate

[c4-judge]

0xean marked the issue as unsatisfactory: Overinflated severity