search

sherlock-audit / 2023-03-teller-judging

8 stars 6 forks source link

helpMePlease - Commitment expiration time checking condition is wrong #495

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

helpMePlease

medium

Commitment expiration time checking condition is wrong

Summary

Vulnerability Detail

https://github.com/teller-protocol/teller-protocol-v2/blob/8f090356c413968600baafc0a51d99900fad9f93/packages/contracts/contracts/LenderCommitmentForwarder.sol#L139

In the above code we can see that that _commitment.expiration > uint32(block.timestamp) but it must be _commitment.expiration >= uint32(block.timestamp) as the commitment expires at the timestamp not after it

Impact

in the validateCommitment function we are checking the condition of _commitment.expiration against the timestamp() but that condition should be >= instead of > the Commitment should expire at the timestamp so the require condition must change, as there is a change that someone can still be able to acceptCommitment even tho it has expired

Code Snippet

 require(
            _commitment.expiration > uint32(block.timestamp), 
            "expired commitment"
        );

Tool used

Manual Review

Recommendation

Change the condition to >= instead of >

passabilities commented 1 year ago

if _commitment.expiration and block.timestamp are equal then the commitment has expired as _commitment.expiration indicates the timestamp that the commitment expires.