Platform: Code4rena
Start Date: 09/12/2022
Pot Size: $90,500 USDC
Total HM: 35
Participants: 84
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 12
Id: 192
League: ETH
Rank: 55/84
Findings: 1
Award: $124.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Ruhum
Also found by: Ermaniwe, HollaDieWaldfee, __141345__, rvierdiiev, wait
124.2162 USDC - $124.22
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L225
In current realisation of the contracts there is no real-time tracking of expired contracts and they could affect other contracts releases. Expired contract can only be released by contract manager. If the process is not automated and expired contracts should be closed manually by users - it could lead to some misscalculations and losses of profit since expired bond will affect ratio until it is released.
Scenario
Step 1 ) Create 2 bonds with close expiration time:
Step 2) Make a distribution at day 10 after first bond expired (e.g. 1000 eth)
Step 3) Wait 1 more day to expire second bond and release it while first bond still not released
Expected result:
Actual result:
Here is the small test for proof of concept in the fork repository - https://github.com/ermaniwe/2022-12-tigris/blob/release_test/test/09.Bonds.js#L248 .
hardhat and chai
probably it would be better to make a redistribution on any release event. Since expired contract can't be extended - it shouldn't affect them
#0 - GalloDaSballo
2022-12-22T02:02:21Z
it("Rewards should be received from an expired bond upon release", async function () { await stabletoken.connect(owner).mintFor(owner.address, ethers.utils.parseEther("1000")); await lock.connect(owner).lock(StableToken.address, ethers.utils.parseEther("1000"), 11); await stabletoken.connect(owner).mintFor(user.address, ethers.utils.parseEther("1000")); await lock.connect(user).lock(StableToken.address, ethers.utils.parseEther("1000"), 10); await network.provider.send("evm_increaseTime", [864000]); // Skip 10 days await network.provider.send("evm_mine"); await stabletoken.connect(owner).mintFor(owner.address, ethers.utils.parseEther("1000")); await bond.distribute(stabletoken.address, ethers.utils.parseEther("1000")); [,,,,,, expireEpoch,,,,] = await bond.idToBond(2); expect(await bond.epoch(stabletoken.address)).to.be.equals(expireEpoch); expect(await bond.isExpired(1)).to.be.equals(false); expect(await bond.isExpired(2)).to.be.equals(true); expect(await bond.pending(1)).to.be.equals("523809523809523809500"); expect(await bond.pending(2)).to.be.equals("0"); //if expired contract was released - redistribution happens and test passes //await lock.connect(user).release(2); await network.provider.send("evm_increaseTime", [867600]); // Skip 11 days await network.provider.send("evm_mine"); await lock.connect(owner).release(1); expect(await stabletoken.balanceOf(owner.address)).to.be.equals("1999999999999999999941"); // 2000 tiUSD after release });
#1 - c4-judge
2022-12-22T02:03:35Z
GalloDaSballo marked the issue as duplicate of #523
#2 - c4-judge
2022-12-22T15:24:09Z
GalloDaSballo marked the issue as duplicate of #630
#3 - c4-judge
2023-01-22T17:56:29Z
GalloDaSballo marked the issue as satisfactory