Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Circuit DAO>High findings>Missing timestamp validation in collateral vault
GeneralOverview
Findings
Critical (4)
High (7)Incorrect STATUTES_MAX_IDX for statutes mutationMistakes in auction-collateral calculationsOutlier resolution--logic bugsUnverified solution parameters in announcer_registry could lead to loss of rewardsUnverified solution parameters in recharge_win could lead to loss of tokensMissing timestamp validation in collateral vaultUnverified MIN_DEPOSIT value
Medium (1)
Low (1)
Informational (3)
DiscussionVote aggregationTreasury-ring correctness relies on governanceConfusion of atom-announcer identityOracle-resolution votingTest code coverage
DesignDesign overviewThe statues coinGovernanceAtom announcerAnnouncer registryOracleTreasuryRecharge auctionSurplus auctionCollateral vaultSavings vaultBYC and CRT
Audit ResultsAssessment Results
Category: Coding Mistakes

Missing timestamp validation in collateral vault

High Severity
High Impact
Medium Likelihood

Description

The withdraw operation of the collateral vault allows providing the following parameters in the solution:

(@ args
  (
    withdraw_amount
    price_info
    liquidation_ratio
    current_timestamp
    statutes_cumulative_stability_df
    current_stability_df
  )
)

While the other parameters are verified via the statutes announcements, the current_timestamp is not verified to be the valid value via ASSERT_BEFORE_SECONDS_ABSOLUTE and ASSERT_SECONDS_ABSOLUTE conditions.

Impact

An attacker could use an old timestamp, which would result in an incorrect (old) value of cumulative_stability_df. This cumulative stability discount factor is used to calculate the undiscounted principal and hence the minimum collateral required in the vault such that it is above the liquidation threshold. While the old cumulative stability discount factor could only be used up until the timestamp of the price_info, manipulation of the value could lead to users withdrawing some amount from the vault, even if the vault may be liquidatable.

Recommendations

We recommend verifying the validity of current_timestamp via ASSERT_BEFORE_SECONDS_ABSOLUTE and ASSERT_SECONDS_ABSOLUTE conditions.

Remediation

This issue has been acknowledged by Voltage Technologies Ltd., and a fix was implemented in commit 4d420834.

Zellic © 2025Back to top ↑