Timestamp deviation in arbitrum deployment can impact time based contract logic
Summary
A vulnerability exists due to the deviation in block.timestamp on Arbitrum, affecting contracts relying on precise time-based logic.
Vulnerability Details
Staking and unstaking mechanisms calculate durations based on the difference between the block.timestamp at staking initiation and the block.timestamp at the point of unstaking. Arbitrum's timestamp handling, determined by the sequencer's clock, allows for timestamps that can deviate significantly from real-time (up to 24 hours in the past and potentially future-dated by up to an hour). This discrepancy arises because Arbitrum batches transactions before submitting them to Ethereum, during which the sequencer sets block.timestamp based on the time of submission to L1, not when transactions are processed on L2. As a result, the calculated staking duration could inaccurately reflect the actual time staked, impacting reward distribution.
Impact
Stake rewards could be higher (or lower) then they should be based on actual time staked.
Tools Used
Manual Review
Recommendations
If time based logic accuracy is essential, consider only deploying on mainnet.
Lead Judging Commences
arbitrum timestamp
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.