In the setContest
function where the provided closeTime doesn't correctly verify against the allowed maximum duration.
In the setContest function, a check is done to ensure the closeTime is within the allowable time range. However, the condition:
is potentially problematic. The condition allows a closeTime that is exactly block.timestamp + MAX_CONTEST_PERIOD, which might not be the intended behavior given the comment annotation indicating it's supposed to be a strict less than 28 days.
With >: Setting closeTime to exactly 28 days from the current time is valid.
Consider a scenario where MAX_CONTEST_PERIOD is set to 28 days.
A user can set the closeTime to block.timestamp + 28 days using the current function without any revert.
However, if the strict inequality as indicated by the comment is enforced, this would not be possible, and the function would revert.
The user can set the closeTime
to 28 days from the transaction firing.
Manual review
Instead of
if (closeTime > block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp) {
do
if (closeTime >= block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp)
Because
With >: Setting closeTime to exactly 28 days from the current time is valid.
With >=: Setting closeTime to exactly 28 days from the current time is invalid.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.