Incorrect penalty calculation for missing collateral updates
Summary
The math formula that calculates penalty amount based on missed intervals is not correct
Vulnerability Detail
In _imposePenaltyIfMissedCollateralUpdates function of MinterGateway.sol, it imposes penalty based on currently owed amount of M token and the number of intervals that missed the collateral updates, as follows:
In calculation, the penalty amount is calculated by multiplying number of intervals, but this is not correct.
The correct one has to be exponential instead of multiply.
Let's take an example:
Alice owes 100M, penalty rate is 10%, and missed 3 intervals.
When the penalty is imposed after 3 intervals, she pays 30M as penalty. 100 3 10% = 30
However, assumed the penalty is imposed for each interval, she pays 33.1M as penalty.
[Interval 1] 100 10% = 10
[Interval 2] (100 + 10) 10% = 11
[Interval 3] (110 + 11) * 10% = 12.1
As a result, based on how user updates collateral, penalty amount becomes different, which should not.
Impact
Less penalty is imposed to users who do not update their collateral in-time.
KupiaSec
medium
Incorrect penalty calculation for missing collateral updates
Summary
The math formula that calculates penalty amount based on missed intervals is not correct
Vulnerability Detail
In
_imposePenaltyIfMissedCollateralUpdates
function ofMinterGateway.sol
, it imposes penalty based on currently owed amount of M token and the number of intervals that missed the collateral updates, as follows:In calculation, the penalty amount is calculated by multiplying number of intervals, but this is not correct. The correct one has to be exponential instead of multiply.
Let's take an example: Alice owes 100M, penalty rate is 10%, and missed 3 intervals.
When the penalty is imposed after 3 intervals, she pays 30M as penalty. 100 3 10% = 30 However, assumed the penalty is imposed for each interval, she pays 33.1M as penalty. [Interval 1] 100 10% = 10 [Interval 2] (100 + 10) 10% = 11 [Interval 3] (110 + 11) * 10% = 12.1
As a result, based on how user updates collateral, penalty amount becomes different, which should not.
Impact
Less penalty is imposed to users who do not update their collateral in-time.
Code Snippet
https://github.com/sherlock-audit/2023-10-mzero/blob/f567348da0505ba2671224898c69f2d37e60cdc2/protocol/src/MinterGateway.sol#L759 https://github.com/sherlock-audit/2023-10-mzero/blob/f567348da0505ba2671224898c69f2d37e60cdc2/protocol/src/MinterGateway.sol#L914-L937
Tool used
Manual Review
Recommendation
Penalty amount calculation formula has to be updated as follows:
PenaltyAmount = OwedM * ((1 + PenaltyRate) ^ Intervals - 1)
Duplicate of #37