Submission Details
Severity:
Use of Block.timestamp for comparisons
Summary
Dangerous usage of block.timestamp. block.timestamp can be manipulated by miners.
Vulnerability Details
Following are the areas that are using block timestamp for comparisons which can be manipulated by the miners
In ChoosingRam::increaseValuesOfParticipants()
function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)
public
RamIsNotSelected
{
...
@> if (block.timestamp > 1728691200) {
revert ChoosingRam__TimeToBeLikeRamFinish();
}
...
}
In ChoosingRam ::selectRamIfNotSelected()
function selectRamIfNotSelected() public RamIsNotSelected OnlyOrganiser {
@> if (block.timestamp < 1728691200) {
revert ChoosingRam__TimeToBeLikeRamIsNotFinish();
}
@> if (block.timestamp > 1728777600) {
revert ChoosingRam__EventIsFinished();
}
uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % ramNFT.tokenCounter();
selectedRam = ramNFT.getCharacteristics(random).ram;
isRamSelected = true;
}
In Dussehra::killRavana()
function killRavana() public RamIsSelected {
@> if (block.timestamp < 1728691069) {
revert Dussehra__MahuratIsNotStart();
}
@> if (block.timestamp > 1728777669) {
revert Dussehra__MahuratIsFinished();
}
IsRavanKilled = true;
uint256 totalAmountByThePeople = WantToBeLikeRam.length * entranceFee;
totalAmountGivenToRam = (totalAmountByThePeople * 50) / 100;
(bool success, ) = organiser.call{value: totalAmountGivenToRam}("");
require(success, "Failed to send money to organiser");
}
Impact
Miners can manipulate the timestamp for extending the time period of event for their own benefits.
Tools Used
Manual Review
Recommendations
Avoid relying on block.timestamp.
Rewards breakdown
nSLOC
218This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.