Description
Incorrect tax calculation if pixel price was set to 0
Author
catding
Scope
Smart Contract
Status
EligibleResolvedReward Distributed
Risk Score
4
Risk Severity
Medium
Reward Amount
156,240
Reported Date
June 21, 2022
Bugfix Commits
Categories
Transaction of Reward Distribution
Details
Summary
New pixel owner could overpay taxes by incorrect tax calculation if its previous owner set the price at 0.
Context
_collectTax is to collect and record tax from pixel owner, it’s triggered in three scenarios
- set new pixel price
- transfer to a new address
- or bid a pixel with owner
Since tax is calculated with price, tax rate, lastTaxCollection and past block count, and the lastTaxCollection can be updated only if collectable tax is larger than 0. So a zero-price pixel can skip to be “collected” under these scenarios.
Form an Attack
- In block#1000, attacker bought a pixel and price it at 0 $SPACE;
- In block #2000, victim bought the pixel and price it at 10 $SPACE;
- In block #3000, victim’s tax was calculated from block#1000 to block#3000, not from block#2000;
Affected Assets
- contracts/src/TheSpace/TheSpace.sol (commit: b62df4e)
Risk Score
Likelihood
Factors | Score | Reason |
Threat Agent Factors | ||
Skill Level | 2 | advanced user or has programming skills. |
Motive | 2 | possible reward through UBI. |
Opportunity | 1 | need to own a large portion of pixels and pay gas fees. |
Size | 3 | anonymous Internet users. |
Vulnerability Factors | ||
Ease of Exploit | 2 | cannot form the attack if pixel isn’t bought. |
Awareness | 3 | public knowledge. |
Impact
Factors | Score | Reason |
Technical Impact Factors | ||
Loss of Integrity | 1 | N/A |
Loss of Availability | 2 | can damage the economic mechanism partly. |
Loss of Accountability | 3 | can completely anonymous. |
Business Impact Factors | ||
Financial Damage | 2 | depends on the pixel price and the time duration before the pixel is bought. |
Overall Likelihood: 2
Overall Impact: 2
Overall Risk Score = Impact * Likelihood = 4