Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deposit double-counting miscalculation could incorrectly prevent user foreclosure #108

Open
code423n4 opened this issue Jun 16, 2021 · 2 comments
Open

Deposit double-counting miscalculation could incorrectly prevent user foreclosure #108

code423n4 opened this issue Jun 16, 2021 · 2 comments
Labels
1 (Low Risk) bug Something isn't working disagree with severity

Comments

@code423n4
Copy link
Contributor

Handle

0xRajeev

Vulnerability details

Impact

In the deposit function, the deposit _amount has already been added to the user's deposit on L303. The addition of _amount again to the deposit on L309 for checking against daily bidRate effectively leads to double counting of deposited _amount and may keep/bring user out of foreclosure even though they are not.

Proof of Concept

Scenario: Alice’s current daily bidRate is 500 and deposit is 350. She makes a new deposit of 100 which should not bring her out of foreclosure because the new effective deposit will be 300+150 = 450 which is still less than 500. However, because of the double-counting miscalculation, the check performed is 450+100 > 500 which will pass and Alice is not foreclosed. She effectively gains double the deposit amount in treatment of deposits against foreclosure.

https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCTreasury.sol#L279

https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCTreasury.sol#L303

https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCTreasury.sol#L308-L314

Tools Used

Manual Analysis

Recommended Mitigation Steps

Change the conditional predicate on L309-310 from:
user[_user].deposit + _amount > user[_user].bidRate / minRentalDayDivisor
to:
user[_user].deposit > user[_user].bidRate / minRentalDayDivisor
@code423n4 code423n4 added 2 (Med Risk) bug Something isn't working labels Jun 16, 2021
code423n4 added a commit that referenced this issue Jun 16, 2021
@code423n4
0xRajeev issue #108
bf106e3
@code423n4 code423n4 mentioned this issue Jun 16, 2021
Closed
@Splidge Splidge added disagree with severity duplicate This issue or pull request already exists labels Jun 18, 2021
@Splidge
Copy link
Collaborator

Splidge commented Jun 18, 2021

Duplicate of #26

@Splidge Splidge marked this as a duplicate of #26 Jun 18, 2021
@Splidge Splidge closed this as completed Jun 18, 2021
@dmvt
Copy link
Collaborator

dmvt commented Jul 9, 2021

I generally think the impact of this on the rest of the system is minimal. It results in a slight advantage to the user in foreclosure, but does not cause a loss or granting of additional funds. To take advantage of this exploit, the user would also need to be highly skilled at reading source code to find the exploit in the first place. Even if they took the time to do this, the effect would not be permanent. I'm aligned with the view expressed in #26 and #37 that this is low severity.

@dmvt dmvt reopened this Jul 11, 2021
@dmvt dmvt removed the duplicate This issue or pull request already exists label Jul 11, 2021
This was referenced Jul 11, 2021
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) bug Something isn't working disagree with severity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmvt @Splidge @code423n4