Submission Details
Severity:
Incorrect validation of blueprint in `runBlueprint()`
Github link
Summary
runBlueprint() validates the block time differently from the document.
Vulnerability Details
In the documentation, it says block.timestamp should be within (startTime, endTime).
Blueprints are off-chain data structures that are EIP-712 signed to verify publisher intent. Each Blueprint contains an arbitrary sequence of internal and external function calls wrapped into an AdvancedFarm call and to be executed through the Tractor Facet. Any properly signed Blueprint can be executed through Tractor given:
1. startTime < block.timestamp < endTime;
But runBlueprint() checks differently.
modifier runBlueprint(LibTractor.Requisition calldata requisition) {
require(
LibTractor._getBlueprintNonce(requisition.blueprintHash) <
requisition.blueprint.maxNonce,
"TractorFacet: maxNonce reached"
);
require(
requisition.blueprint.startTime <= block.timestamp && //@audit should be strict
block.timestamp <= requisition.blueprint.endTime,
"TractorFacet: blueprint is not active"
);
}
Recommendations
Recommend implementing like the documentation.
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.