Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assert indicates unnecessary check or missing constraint/logic #90

Open
code423n4 opened this issue Jun 16, 2021 · 3 comments
Open

Assert indicates unnecessary check or missing constraint/logic #90

code423n4 opened this issue Jun 16, 2021 · 3 comments
Labels
1 (Low Risk) bug Something isn't working duplicate This issue or pull request already exists

Comments

@code423n4
Copy link
Contributor

Handle

0xRajeev

Vulnerability details

Impact

updateLastRentalTime() function “tracks when the user last rented so they cannot rent and immediately withdraw thus bypassing minimum rental duration.”

This function currently always returns true and so there is no need to assert its return value, as done in newRental(), unless it was meant to return false in some scenarios which indicates missing constraint/logic. It is not clear what that might be.

Impact: Given that the minimum rental duration is one of the two key protection mechanisms, any missing logic/constraint here could affect the project significantly.

Proof of Concept

https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCMarket.sol#L731

https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCTreasury.sol#L484-L498

Tools Used

Manual Analysis

Recommended Mitigation Steps

Validate constraint/logic to see if function should return false in any scenario. Remove assert at call site if otherwise.
@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels Jun 16, 2021
code423n4 added a commit that referenced this issue Jun 16, 2021
@code423n4
0xRajeev issue #90
4b0073e
@Splidge Splidge added the duplicate This issue or pull request already exists label Jun 18, 2021
@Splidge
Copy link
Collaborator

Splidge commented Jun 18, 2021

Duplicate of #55

@Splidge Splidge marked this as a duplicate of #55 Jun 18, 2021
@Splidge Splidge closed this as completed Jun 18, 2021
@dmvt
Copy link
Collaborator

dmvt commented Jul 10, 2021

I do not see how this is a duplicate of #55.

@dmvt dmvt reopened this Jul 10, 2021
@Splidge
Copy link
Collaborator

Splidge commented Jul 12, 2021

Sorry, I think it must have been #53 I wanted to mark it a duplicate of.
Although there is also some overlap with #83 as the assert wasn't used correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmvt @Splidge @code423n4