Skip to content

Latest commit

 

History

History
44 lines (36 loc) · 2.52 KB

055.md

File metadata and controls

44 lines (36 loc) · 2.52 KB

Powerful Honeysuckle Anteater

Medium

Locking period set by user does not have minimum of 1 month being enforced.

Summary

The lock-in period option set during deposit, for dCDS user, is not sanitized if it's more than 30 days/more than the withdrawTimeLimit

Root Cause

As can be seen from the docs https://docs.autonomint.com/autonomint/blockchain-docs/core-contracts/cds#deposit and the deposit function there is a param called lockingPeriod, which the user can use to specify/make a longer locking period, with a minimum of 1 month by requirement.

function deposit(
        uint128 usdtAmount,
        uint128 usdaAmount,
        bool liquidate,
        uint128 liquidationAmount,
        uint128 lockingPeriod ) payable

lockingPeriod | uint128 | How long the user is willing to stay deposited in the protocol. However currently when its set during deposit in CDSLib.sol#L534 is not being sanitized if its more than 30 days or the withdrawTimeLimit admin-set value.

This could also be seen from the frontend docs, that a longer locking period could be specified, but not less than 1 month: https://docs.autonomint.com/autonomint/autonomint-1/guides/how-to/dcds-interface

Users can enter the "AMINT" amount to deposit and the time duration for which this AMINT will be locked in. The minimum time duration is 1 month

Flow of issue

  1. A User wants to make a deposit.
  2. Since the value is not sanitized, even though he could set it to less than 30 days, the TX will pass.
  3. This would confuse the user, as later on, he won't be able to withdraw earlier due to the withdrawTimeLimit check in the withdraw function.

Impact

There is a separate issue, that this value is not enforced during withdrawal, which it should be. However, fixing it, won't fix this one here. Even if we add both checks, for lockingperiod and keep the one for withdrawTimeLimit, which is currently present:

     if (cdsDepositDetails.depositedTime + withdrawTimeLimit > uint64(block.timestamp)) {
            revert CDS_WithdrawTimeNotYetReached();
        }

We would still allow users to set a lower value for lockingperiod than 30 days, which will never be checked during deposit and will trick users into believing they could withdraw their funds earlier.

Mitigation

Check that the locking period is at least 30 days or withdrawTimeLimit if not, revert and don't allow a deposit.