Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

withdrawToLandlord() cant send all rent earned overtime to landlord #28

Closed
c4-bot-9 opened this issue Oct 11, 2024 · 6 comments
Closed

withdrawToLandlord() cant send all rent earned overtime to landlord #28

c4-bot-9 opened this issue Oct 11, 2024 · 6 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-9
Copy link
Contributor

c4-bot-9 commented Oct 11, 2024
edited by c4-bot-4
Loading

Lines of code

https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L1823-L1834

Vulnerability details

Impact

withdrawtolandlord() function does not allow token.ower or any approved/operator address to withdraw all the earned rent to the provided landlord address

Proof Of Concept

https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L1823-L1834

           for (i, item) in token.rentals.iter().enumerate() {
            if item.address == Some(Addr::unchecked(tenant.clone()))
                && item.renting_period[0].to_string() == renting_period[0]
                && item.renting_period[1].to_string() == renting_period[1]
            {
                position = i as i32;
                if item.cancelled {
                    return Err(ContractError::NotApproved { });
                }
                if item.deposit_amount - Uint128::from(token.longterm_rental.price_per_month) < Uint128::from(amount)  { 
                    return Err(ContractError::UnavailableAmount {  });
                }

            }

The snippet above is from the iteration logic in withdrawtolandlord(). The inner if statement here does not allow the landlord to receive 100% of the rental value it has earned on the protocol.

For example if a tennant has paid 10,000 USD over the span of 10 months and price_per_month is 1000 USD, the landlord wants to receive its 10,000 USD which is the total rent earned over time, the logic there will interpret to be:

item.deposit_amount = 10,000
token.longterm_rental.price_per_month = 1000
amount = 10,000

                if  10,000 - Uint128::from(1000) < Uint128::from(10,000)  { 
                    return Err(ContractError::UnavailableAmount {  });
                }

10,000 - 1,000 = 9,000 is lower than 10,000 (the amount to be withdrawn) so this means the function will revert with unavailableAmount error. A months's rent will be stuck in the protocol and cannot be sent to the landlord.

The validation for amount to be withdrawn to landlord is incorrect.

Recommened Mitigation

change the validation to be

if  Uint128::from(amount) > item.deposit_amount { 
                    return Err(ContractError::UnavailableAmount {  });
                }

Assessed type

Context
@c4-bot-9 c4-bot-9 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Oct 11, 2024
c4-bot-6 added a commit that referenced this issue Oct 11, 2024
@c4-bot-6
adeolu issue #28
943e7ea
@c4-bot-11 c4-bot-11 added the 🤖_primary AI based primary recommendation label Oct 11, 2024
@c4-judge
Copy link
Contributor

OpenCoreCH marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Oct 12, 2024
@blockchainstar12 blockchainstar12 added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Oct 14, 2024
@blockchainstar12
Copy link

it is intended logic. Owners can withdraw all funds in withdrawtolandlord() function, so it's not needed to withdraw all funds at this function

@OpenCoreCH
Copy link

OpenCoreCH commented Oct 16, 2024
edited
Loading

@blockchainstar12 I cannot follow your argumentation here, the issue is about the withdrawtolandlord() function. Should the owner be able to withdraw all funds or is it intended that they have to leave token.longterm_rental.price_per_month in the deposit?

@blockchainstar12
Copy link

withdrawtolandlord function is not designed to withdraw all funds from the contract, it is for monthly withdrawal, we have finalizelongtermrental function for full withdraw

@OpenCoreCH
Copy link

Ok that makes sense, so this indeed is not a problem because there is another function for withdrawing everything.

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Oct 16, 2024
@c4-judge
Copy link
Contributor

OpenCoreCH marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@OpenCoreCH @c4-judge @code4rena-admin @c4-bot-9 @blockchainstar12 @c4-bot-11