First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

`block.timestamp` works differently on `arbitrum` than `L1 (Ethereum)`, which could leads collecting rewards 24 hours earlier or 1 hour later than supposed time

abhishekthakur

Summary

users can collectPresent before scheduled time or 1 hour later due to the way block.timestamp is calculated on Arbitrum.

Vulnerability Details

collectPresent function check if current time is greator than CHRISTMAS_2023_BLOCK_TIME then allow, else revert. But Arbitrum don't follow the L1 block.timestamp instead it relies on sequencer clock.
Here is how arbitrum handles block.timestamp -

Must be always equal or greater than the previous L2 block timestamp
Must fall within the established boundaries (24 hours earlier than the current time or 1 hour in the future). More on this can be Read Here

-so as per current scenario, it's highly possible than users will be able to mint 24 hours earlier.

Impact

User can collectPresent before time or 1 hour late

Tools Used

Manual Review

Recommendations

To keep it near possible date, CHRISTMAS_2023_BLOCK_TIME can be increased to 23 hours.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.