Timestamp manipulation in Airdrop::claim()
function inflates the amount of days two people spent as soulmates giving them access to a HUGEEEE amount of love tokens, possibly emptying the vault.
In the Airdrop::claim()
function, the block.timestamp
is utilized to calculate numberOfDaysInCouple
, representing the duration two individuals have spent together as soulmates. This calculation is pivotal for determining the allocation of love tokens within the protocol. It relies on the discrepancy between the current block's timestamp and the timestamp marking the inception of their relationship—specifically, the moment they were paired to receive a SoulBound NFT
.
Consider the scenario of Alice and Bob, symbolizing soulmates in our context. Upon being paired, they acquire a SoulBound NFT
, granting them eligibility to claim love tokens on a daily basis. However, let's delve into a potential exploit: Alice's nefarious intent leads her to manipulate the block timestamp, advancing it by 500 days into the future.
Lets take a look at how the protocol determines the number of days Alice and Bob would've spent as couples:
Under such circumstances, if Alice alters the block.timestamp
, fast-forwarding it by 500 days, the resulting numberOfDaysInCouple
would grossly inflate the perceived duration of Alice and Bob's relationship. Consequently, this distortion extends to the calculation of love tokens awarded, as demonstrated below:
Consequently, tokenAmountToDistribute
would emerge as an exorbitant figure. This manipulation grants Alice the means to claim an excessive number of love tokens. Moreover, given the shared nature of the NFT, Bob would be entitled to claim an equivalent number of tokens.
Moreover, in cases where tokenAmountToDistribute
surpasses the available balance within the vault, the contract would inadvertently deplete its reserves, transferring the entirety of its holdings to the user, effectively emptying the vault.
Another instance of this can be found in Staking::claimRewards
where block.timestamp
can be used to increase the number weeks that have passed to collect the rewards for depositing some love tokens.
Soulmates can claim large amounts of love tokens and empty the vault by manipulating the block.timestamp
and increasing the time they spent as couples.
Paste the following code in the AirdropTest.t.sol
testsuite
Manual Review
Preventative Techniques
To mitigate the risks associated with block timestamp manipulation, developers and auditors must follow best practices. Here are some key recommendations:
1. Do not use block.timestamp
it is recommended to use block.number
instead of block.timestamp
. By using block.number
, the block.number
is utilized instead of the timestamp, making it more challenging for attackers to manipulate the timestamp. Manipulating the timestamp would require manipulating the block number as well, adding an extra layer of security.
2.Following the 15 second Rule
Developers can implement time-related checks, such as requiring a minimum time difference between transactions or limiting the number of executions within a specified timeframe. These constraints can help protect against attacks that exploit timing vulnerabilities.
3. Use multiple sources for timestamp verification
Relying on a single source for block timestamps can make smart contracts vulnerable to manipulation. It is advisable to use multiple trusted sources, such as reputable block explorers or oracle services, to verify block timestamps. By cross-checking timestamps from different sources, developers can ensure the integrity of the data and reduce the risk of manipulation.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.