Underflow Risk in `_unlocked_shares` Calculation
Description
The _unlocked_shares function calculates unlocked_shares as profit_unlocking_rate * (ts - last_profit_update) // MAX_BPS_EXTENDED. If ts < last_profit_update, this calculation will result in an arithmetic underflow, which can lead to critical miscalculations in the protocol.
Affected Code
Vulnerability Details
The calculation of unlocked_shares assumes that ts (the current timestamp) is always greater than or equal to last_profit_update. However, if ts < last_profit_update, the subtraction (ts - last_profit_update) will underflow, resulting in an incorrect and extremely large value for unlocked_shares. This could lead to incorrect price calculations in the oracle, as the unlocked shares are used to determine the total supply of assets. An attacker could exploit this by manipulating the last_profit_update timestamp, causing the oracle to return invalid price data. This would allow the attacker to manipulate the oracle's price calculations, potentially leading to financial losses for users relying on the oracle's data.
Tools Used
Manual Review
Recommended Mitigation Steps
Add a check to ensure ts >= last_profit_update before performing the calculation:
Lead Judging Commences
[invalid] finding-timestamp-underflow
This issues and duplicates are very similar to reasonings highlighted in issue #11. The timestamp variables are extracted and verified via the OOS `StateProofVerifier` contract inherited as `Verifier`. There is simply no concrete proof that the verifier allowed such an underflow to occur, representing stale price value updates.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.