Submission Details
Severity:
`dittoMatchedShares` denominated in ETH-days instead of eth-seconds
Summary
Shares are denominated in ETH-days, but in docs it's stated
Users generate userShares (dittoMatchedShares) denominated in ETH-seconds, by the product of the Order amount (in ETH) and time until match (in seconds)
Vulnerability Details
timeTillMatch is divided by days, but should be just multiplied with eth:
function increaseSharesOnMatch(
address asset,
STypes.Order memory order,
MTypes.Match memory matchTotal,
uint88 eth
) internal {
AppStorage storage s = appStorage();
// @dev use the diff to get more time (2159), to prevent overflow at year 2106
uint32 timeTillMatch = getOffsetTime() - order.creationTime;
if (timeTillMatch > Constants.MIN_DURATION) {
// shares in eth-days
@> uint88 shares = eth * (timeTillMatch / 1 days);
matchTotal.dittoMatchedShares += shares;
uint256 vault = s.asset[asset].vault;
s.vaultUser[vault][order.addr].dittoMatchedShares += shares;
}
}
Impact
Code is incorrect to spec
Tools Used
Manual Review
Recommendations
function increaseSharesOnMatch(
address asset,
STypes.Order memory order,
MTypes.Match memory matchTotal,
uint88 eth
) internal {
AppStorage storage s = appStorage();
// @dev use the diff to get more time (2159), to prevent overflow at year 2106
uint32 timeTillMatch = getOffsetTime() - order.creationTime;
if (timeTillMatch > Constants.MIN_DURATION) {
// shares in eth-days
- uint88 shares = eth * (timeTillMatch / 1 days);
+ uint88 shares = eth * timeTillMatch;
matchTotal.dittoMatchedShares += shares;
uint256 vault = s.asset[asset].vault;
s.vaultUser[vault][order.addr].dittoMatchedShares += shares;
}
}
Prize pool breakdown
Total prize
55,000 USDC
nSLOC
3,36516 USDC / LOC
50,000 USDC
5,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.