Hardcoded Timestamp Values can introduce rounding errors

Question

Hardcoded Timestamp Values can introduce rounding errors

Closed this issue a year ago · 0 comments

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/main/src/PoolV3.sol#L671-L673

Vulnerability details

Impact

Hardcoding timestamp values and using the difference between timestamps to compute interest could potentially introduce rounding errors.

Such financial computations should rely on timestamp differences as little as possible.

In PoolV3.sol, the lastBaseInterestUpdate and lastQuotaRevenueUpdate are hard-coded timestamp values.

These are used to compute the base interest rate and the quota revenue accrued since the last update, respectively (functions _calcBaseInterestAccrued and _calcQuotaRevenueAccrued).

Proof of Concept

https://github.com/code-423n4/2024-07-loopfi/blob/main/src/PoolV3.sol#L671-L673

/// @dev Computes base interest accrued since given timestamp
function _calcBaseInterestAccrued(uint256 timestamp) private view returns (uint256) {
    return (_totalDebt.borrowed * baseInterestRate().calcLinearGrowth(timestamp)) / RAY;
}

/// @dev Computes quota revenue accrued since given timestamp
function _calcQuotaRevenueAccrued(uint256 timestamp) private view returns (uint256) {
    return quotaRevenue().calcLinearGrowth(timestamp);
}

Tools Used

Manual Review

Recommended Mitigation Steps

It is generally recommended to avoid using hardcoded timestamps and the arithmetic involving them, especially in financial computations. An improvement could be to use block numbers instead of timestamps as they are more reliable and less prone to manipulation.

Consider restructuring the computation of interest and quota revenue to not depend on specific timestamp values but rather to use iterative methods.

Assessed type

Other