Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

kiki_dev - extendDeposit() Does not check that extension will unexpire deposit. After extension deposit can still be expired. #334

Closed
github-actions bot opened this issue Feb 21, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Non-Reward This issue will not receive a payout

Comments

@github-actions
Copy link

github-actions bot commented Feb 21, 2023

kiki_dev

medium

extendDeposit() Does not check that extension will unexpire deposit. After extension deposit can still be expired.

Summary

In depositManagerV1.sol there is a function called extendDeposit() that allows a user to extend the expiration for a particular deposit. However the functions seems to be missing a check to ensure that the extension actual pushes the expiration date beyond block.timestamp. Because of this user will end up wasting transactions extending the expiration date to a date that has already passed.

Vulnerability Detail

Here is an example scenario:

Alice deposits 10eth into a bounty with an expiration of 24 hours
A week passes
Alice not calculating the days corectly extends the deposit by 5 days.
expiration
Alice's funds are still expired by a day.

Here is another example.

        expiration[_depositId] =
            block.timestamp -
            depositTime[_depositId] +
            _seconds;

With numbers in place here you can see how easy it would be to have the transaction be useless due to the deposit remaining expired.

        expiration[_depositId] =
            10 am -
            4am +
            2 hours;

Resulting in this:

        expiration[_depositId] = 6am 
        block.timestamp = 10am

Impact

Function will not work as excpeted per documnetation. This will lead to wasted transaction on the users end and overall bad experience with the protocol.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L111

Tool used

Manual Review

Recommendation

Add a check that ensures that expiration + extendedTime > block.timestamp. Same change to prevent users from wasting money and having a bad experience with protocol.

Duplicate of #552

@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue labels Feb 21, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Non-Reward This issue will not receive a payout
Projects
None yet
Development

No branches or pull requests

1 participant