Details

Summary

New pixel owner could overpay taxes by incorrect tax calculation if its previous owner set the price at 0.

Context

[_collectTax](<https://github.com/thematters/contracts/blob/b62df4e1ad3e0b4bc3ffc516cf974475ac2a197e/src/TheSpace/TheSpace.sol#L348=>) is to collect and record tax from pixel owner, it’s triggered in three scenarios

Since tax is calculated with price, tax rate, [lastTaxCollection](<https://github.com/thematters/contracts/blob/b62df4e1ad3e0b4bc3ffc516cf974475ac2a197e/src/TheSpace/TheSpace.sol#L316=>) and past block count, and the lastTaxCollection can be updated only if collectable tax is larger than 0. So a zero-price pixel can skip to be “collected” under these scenarios.

Form an Attack

  1. In block#1000, attacker bought a pixel and price it at 0 $SPACE;
  2. In block #2000, victim bought the pixel and price it at 10 $SPACE;
  3. In block #3000, victim’s tax was calculated from block#1000 to block#3000, not from block#2000;

Affected Assets

Risk Score

Likelihood

Factors Score Reason
Threat Agent Factors
Skill Level 2 advanced user or has programming skills.
Motive 2 possible reward through UBI.
Opportunity 1 need to own a large portion of pixels and pay gas fees.
Size 3 anonymous Internet users.
Vulnerability Factors

| Ease of Exploit | 2 | cannot form the attack if pixel isn’t bought. | | Awareness | 3 | public knowledge. |

Impact