Block Timestamp Dependence in Interest Calculation Functions
Summary
The contract's interest rate calculation functions, such as fixedRate, rely on the block timestamp (block.timestamp), which can be slightly manipulated by miners. This could potentially affect the accuracy of interest calculations.
Vulnerability Detail
The Ethereum block timestamp can be influenced by miners within certain limits (approximately +/- 15 seconds). Contracts that use timestamps for logic related to time-sensitive operations may therefore have vulnerabilities if this manipulation affects contract outcomes.
Impact
If a miner manipulates the timestamp, it could lead to incorrect interest rate calculations or enable timing-based exploits. The impact is likely low-medium since there are natural limitations on how much miners can manipulate timestamps and because economic incentives generally discourage extreme manipulation.
function fixedRate(uint256 maturity / other params /) public view returns (uint256) {
uint256 currentTime = timeOracle.getCurrentTime();
v.maturityFactor = (maturity - currentTime).divWadDown(
// ... rest of code ...
);
//... rest of fixedRate implementation...
}
}
This would require deploying a separate Time Oracle contract with its own security considerations but would reduce dependency risks associated with miner-controlled variables like `block.timestamp`.
Im_th3AK
medium
Block Timestamp
Dependence in Interest Calculation FunctionsSummary
The contract's interest rate calculation functions, such as
fixedRate
, rely on the block timestamp (block.timestamp
), which can be slightly manipulated by miners. This could potentially affect the accuracy of interest calculations.Vulnerability Detail
The Ethereum block timestamp can be influenced by miners within certain limits (approximately +/- 15 seconds). Contracts that use timestamps for logic related to time-sensitive operations may therefore have vulnerabilities if this manipulation affects contract outcomes.
Impact
If a miner manipulates the timestamp, it could lead to incorrect interest rate calculations or enable timing-based exploits. The impact is likely low-medium since there are natural limitations on how much miners can manipulate timestamps and because economic incentives generally discourage extreme manipulation.
Code Snippet
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/InterestRateModel.sol#L121-L122
Tool used
Recommendation
contract InterestRateModel { ITimeOracle public immutable timeOracle;
function fixedRate(uint256 maturity / other params /) public view returns (uint256) { uint256 currentTime = timeOracle.getCurrentTime(); v.maturityFactor = (maturity - currentTime).divWadDown( // ... rest of code ... );
} }