search

sherlock-audit / 2023-02-surge-judging

4 stars 1 forks source link

gogo - State changes in a single block.timestamp are not taken into account #280

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

gogo

medium

State changes in a single block.timestamp are not taken into account

Summary

See Vulnerability Detail.

Vulnerability Detail

The current collateral ratio highly depends on the loan token balance which is changed multiple times withing a single block.timestamp (can be changed via a flashloan as well) but is not taken into account in Pool.getCurrentState because of the timeDelta check.

Impact

Wrong tracking of the current collateral ratio.

Code Snippet

 // 2. Get the time passed since the last interest accrual
uint _timeDelta = block.timestamp - _lastAccrueInterestTime;

// 3. If the time passed is 0, return the current values
if(_timeDelta == 0) return (_currentTotalSupply, _accruedFeeShares, _currentCollateralRatioMantissa, _currentTotalDebt);

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L125-L129

Tool used

Manual Review

Recommendation

Remove the check from the code snippet and update the _currentCollateralRatioMantissa no matter the time.stamp.

Evert0x commented 1 year ago

@nourharidy isn't this problematic in case multiple transaction are execute in the same block?

0xMoaz commented 1 year ago

This is the point from _currentCollateralRatioMantissa, where it shouldn't be updated instantly to prevent manipulation. It relies on change over time.