Use of block.number leads to incorrect interest calculations

[code423n4]

Lines of code

https://github.com/code-423n4/2023-04-rubicon/blob/511636d889742296a54392875a35e4c0c4727bb7/contracts/utilities/poolsUtility/Position.sol#L327

Vulnerability details

The interests that need to be paid upon closing a position are computed as follows:

File: contracts/utilities/poolsUtility/Position.sol
322: function _calculateDebt(
323:         address _bathToken,
324:         uint256 _startBlock,
325:         uint256 _borrowedAmount
326:     ) internal view returns (uint256 _debt) {
327:         uint256 _blockDelta = block.number - _startBlock;
328: 
329:         uint256 _interest = (
330:             (_borrowedAmount).mul(borrowRate(_bathToken).mul(_blockDelta))
331:         ).div(10 ** 18);
332:         _debt = _borrowedAmount.add(_interest);
333:     }

The interest rate is computed using the block delta, between block.number and the starting block.

The issue is that block production on Optimism is currently not fixed:

each transaction on L2 is placed in a separate block and blocks are NOT produced at a constant rate

Proof of Concept

Run the following command several times in the repo, using an optimism rpc url:

cast block-number --rpc-url YOUR_OPTIMISM_RPC_URL

You will see that block are not produced at a constant rate.

Impact

Interest rates are currently manipulable and will result in users having to repay more interests than expected upon closing positions.

Tools Used

Manual Analysis

Mitigation

Use block.timestamp instead of block.number for interest calculation. It will involve a lot of refactoring as the Compound contracts bathToken currently inherits from use a "per block" system.

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #1212

[c4-judge]

HickupHH3 marked the issue as satisfactory

[c4-judge]

HickupHH3 marked the issue as selected for report