First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Use of BlockTimestamp

DuncanDuMond

Summary

Dangerous usage of block.timestamp. block.timestamp can be manipulated by miners.

Vulnerability Details

Location:

PuppyRaffle.selectWinner() (src/PuppyRaffle.sol#125-154) uses timestamp for comparisons
Dangerous comparisons:

  • require(bool,string)(block.timestamp >= raffleStartTime + raffleDuration,PuppyRaffle: Raffle not over) (src/PuppyRaffle.sol#126)

Impact

If the winner's address is a contract, it could potentially execute arbitrary code and manipulate the contract state.

Tools Used

Audit Wizard (Slither)

Recommendations

Avoid relying on block.timestamp.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!