Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: high
Invalid

Block Time Manipulation, soulmates can claim unlimited LoveTokens<3

Summary

Timestamp manipulation in Airdrop::claim() function inflates the amount of days two people spent as soulmates giving them access to a HUGEEEE amount of love tokens, possibly emptying the vault.

Vulnerability Details

In the Airdrop::claim() function, the block.timestamp is utilized to calculate numberOfDaysInCouple, representing the duration two individuals have spent together as soulmates. This calculation is pivotal for determining the allocation of love tokens within the protocol. It relies on the discrepancy between the current block's timestamp and the timestamp marking the inception of their relationship—specifically, the moment they were paired to receive a SoulBound NFT.

Consider the scenario of Alice and Bob, symbolizing soulmates in our context. Upon being paired, they acquire a SoulBound NFT, granting them eligibility to claim love tokens on a daily basis. However, let's delve into a potential exploit: Alice's nefarious intent leads her to manipulate the block timestamp, advancing it by 500 days into the future.

Lets take a look at how the protocol determines the number of days Alice and Bob would've spent as couples:

uint256 numberOfDaysInCouple = (block.timestamp -
soulmateContract.idToCreationTimestamp(
soulmateContract.ownerToId(msg.sender)
)) / daysInSecond;

Under such circumstances, if Alice alters the block.timestamp, fast-forwarding it by 500 days, the resulting numberOfDaysInCouple would grossly inflate the perceived duration of Alice and Bob's relationship. Consequently, this distortion extends to the calculation of love tokens awarded, as demonstrated below:

uint256 tokenAmountToDistribute = (numberOfDaysInCouple *
10 ** loveToken.decimals()) - amountAlreadyClaimed;

Consequently, tokenAmountToDistribute would emerge as an exorbitant figure. This manipulation grants Alice the means to claim an excessive number of love tokens. Moreover, given the shared nature of the NFT, Bob would be entitled to claim an equivalent number of tokens.

Moreover, in cases where tokenAmountToDistribute surpasses the available balance within the vault, the contract would inadvertently deplete its reserves, transferring the entirety of its holdings to the user, effectively emptying the vault.

Another instance of this can be found in Staking::claimRewards where block.timestamp can be used to increase the number weeks that have passed to collect the rewards for depositing some love tokens.

Impact

Soulmates can claim large amounts of love tokens and empty the vault by manipulating the block.timestamp and increasing the time they spent as couples.

Proof of Code

Paste the following code in the AirdropTest.t.sol testsuite

PoC
function testTimestampExploit() public {
//Both soulmate1 and soulmate2 get an NFT
_mintOneTokenForBothSoulmates();
//Lets say soulmate1 turned out to have malicious intent and manipulates timeline and timetravels 500 days into the future
//This would be our ManipulatedTimeline
vm.warp(block.timestamp + 500 days);
//soulmate1 claims 500 days worth lovetokens
vm.prank(soulmate1);
airdropContract.claim();
//soulmate2 gets in on this aswell 😳💌🚀
vm.prank(soulmate2);
airdropContract.claim();
}

Tools Used

Manual Review

Recommendations

Preventative Techniques
To mitigate the risks associated with block timestamp manipulation, developers and auditors must follow best practices. Here are some key recommendations:

1. Do not use block.timestamp
it is recommended to use block.number instead of block.timestamp. By using block.number, the block.number is utilized instead of the timestamp, making it more challenging for attackers to manipulate the timestamp. Manipulating the timestamp would require manipulating the block number as well, adding an extra layer of security.

2.Following the 15 second Rule
Developers can implement time-related checks, such as requiring a minimum time difference between transactions or limiting the number of executions within a specified timeframe. These constraints can help protect against attacks that exploit timing vulnerabilities.

3. Use multiple sources for timestamp verification
Relying on a single source for block timestamps can make smart contracts vulnerable to manipulation. It is advisable to use multiple trusted sources, such as reputable block explorers or oracle services, to verify block timestamps. By cross-checking timestamps from different sources, developers can ensure the integrity of the data and reduce the risk of manipulation.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.