Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users will wait untille the last day to cancel reservation to avoid cancellation penalty #36

Closed
c4-bot-3 opened this issue Oct 11, 2024 · 4 comments
Closed

Users will wait untille the last day to cancel reservation to avoid cancellation penalty #36

c4-bot-3 opened this issue Oct 11, 2024 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates 🤖_36_group AI based duplicate group recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-3
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-10-coded-estate/blob/main/contracts/codedestate/src/execute.rs#L1082

Vulnerability details

Description

This protocol gives the right to homeowners to apply a penalty for cancellation after the rent gets approved
The logic is here in execute.rs#cancelreservationafterapprovalforshortterm() function

        let diff_days = (check_in_time_timestamp - current_time)/86400;
        for (_i, item) in cancellation.iter().enumerate() {
            if item.deadline < diff_days {
                refundable_amount =  Uint128::new((amount.u128() * u128::from(item.percentage)) / 100);
                break;
            }
        }

so the cancellation penalty depends on how many days are left before your rent starts.
It calculates the diff_days by subtracting the check-in time from the current time and dividing by 86400
How ever in case the subtracting gives a number less than 86400 the diff_days will be zero

and this check here if item.deadline < diff_days { will never be true
So these two lines will set the token.rentals[].cancelled to true and keep the token.rentals[].deposit_amount same as before because the refundable_amount is zero

            token.rentals[position as usize].cancelled = true;
            token.rentals[position as usize].deposit_amount = amount - refundable_amount;

Impact

users will wait until the last day to cancel the reservation and withdraw all the initial deposit even with the existing of cancellation penalty.

Tools Used

Manual Review

Recommended Mitigation Steps

      for (_i, item) in cancellation.iter().enumerate() {
 -           if item.deadline < diff_days {
+            if item.deadline <= diff_days {
                refundable_amount =  Uint128::new((amount.u128() * u128::from(item.percentage)) / 100);
                break;
            }
        }

Assessed type

Other
@c4-bot-3 c4-bot-3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 11, 2024
c4-bot-8 added a commit that referenced this issue Oct 11, 2024
@c4-bot-8
Ch_301 issue #36
568b713
@c4-bot-13 c4-bot-13 added the 🤖_36_group AI based duplicate group recommendation label Oct 11, 2024
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Oct 12, 2024
@c4-judge
Copy link
Contributor

OpenCoreCH marked the issue as primary issue

@blockchainstar12 blockchainstar12 added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Oct 14, 2024
@blockchainstar12
Copy link

Withdrawable amount is "refundable_amount", NOT "deposit_amount"

and once "cancelled" flag is true, users cannot withdraw any funds!

@OpenCoreCH
Copy link

The usage of < or <= in this comparison just seems to be a design decision that alters the meaning of the deadline field in a CancellationItem slightly (inclusive or exclusive).

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Oct 16, 2024
@c4-judge
Copy link
Contributor

OpenCoreCH marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates 🤖_36_group AI based duplicate group recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@OpenCoreCH @c4-judge @c4-bot-3 @blockchainstar12 @c4-bot-13