Skip to content

Latest commit

 

History

History
65 lines (43 loc) · 2.79 KB

027.md

File metadata and controls

65 lines (43 loc) · 2.79 KB

Custom Pineapple Newt

High

Early repayers can be unexpectedly liquidated

Summary

Summary

dueDate calculations currently punish users who pay a cycle early as it does not extend their next due date

Description

Let's observe how due dates are calculated in V2Calculations.sol

         else if (_bidPaymentCycleType == PaymentCycleType.Seconds) {
        
            dueDate_ = _acceptedTimestamp + _paymentCycle;
         
            uint32 delta = _lastRepaidTimestamp - _acceptedTimestamp;
            if (delta > 0) {
                uint32 repaymentCycle = uint32(
                    Math.ceilDiv(delta, _paymentCycle)
                );
                dueDate_ += (repaymentCycle * _paymentCycle);
            }
        }

It starts by assigning dueDate_ the value of the very first expected repayment and adds an extra repaymentCycle every time 1 _paymentCycle passes.

Issue is that repaymentCycle will return the same value for 2 cycle payments that took place within the same period e.g: Assume 10 payment periods, each period is 10 seconds, entire loan duration is 100 seconds, accepted timestamp is 0

  1. Payment with _lastRepaidTimestamp = 6 will return delta = 6, repaymentCycle = ceilDiv(6,10) = 1, dueDate_ = 20
  2. Payment with _lastRepaidTimestamp = 7 will return delta = 7, repaymentCycle = ceilDiv(7,10) = 1, dueDate_ = 20

Users who wish to repay earlier either for good reputation or to pay less interest in the future will be punished for doing so and could be unexpectedly liquidated since they know they have pre-paid their obligation for the subsequent cycle and still be marked as defaulted. A more illustrative example would be to pre-pay your April rent during February and still get evicted couple days into March for missing a payment.

Root Cause

  • In V2Calculations.calculateNextDueDate does not extend the next due date based on the number of already paid cycles

Internal pre-conditions

Borrower pre-pays their dues for a period further in the future (e.g paying April rent during February)

External pre-conditions

None

Attack Path

  1. Borrower pays 2 periodic payments earlier in order to retain good reputation and pay interest on smaller principal in the future
  2. Borrower does not initiate any payments for 1 full cycle
  3. Arbitrary party liquidates the borrower for missing a payment and seizes their collateral
  4. Borrower is liquidated despite paying early

Impact

Unfair liquidations and collateral seizure

PoC

No response

Mitigation

Track the total number of cycles paid and use it to calculate future due dates