ArkProject: NFT Bridge

Summary in contract IStarklaneEvent.sol there is a variable block.timestamp, it gives an advantage to a miner with strong power over others. miner can manipulate within 15 seconds 1724091310 on the site I chose this time it is Mon 19 Aug 2024 18:15:10 GMT+0000 in this number at the end the miner can manipulate it in order to put such a number 1724091313 (3 seconds from 15)

Vulnerability Details

what happens next after initialization, it goes that the Request for withdrawal of funds is completed (l2), in the variables (l1 and l2) there is a hash index, and the block time is some number that goes from January 1, 1970
what can a miner do. here in this context

first the miner manipulates the time for the deposit event and funds (transfer of l1 and l2)
then he will try to manipulate the beginning of the cancellation

this can act so that this event that comes after the start of the cancellation can lead to the fact that the funds can be manipulated and the most important goal of the miner will be to get true.

namely here

by manipulating the block time for example
1724091310 and 1724091311, 1724091312. it can try to snatch the update event and get true instead of enable. and thus a miner with a lot of power whose goal is to manipulate events in the contract can freeze the event
of the beginning of the cancellation and deposit for users.

Impact The issue is classified as medium in severity as it may cause users to wait and potentially confuse users, and the miner will gain an advantage for their wallets.

Tools Used

```

VS Code.

```

Recommendations add an oracle for time, and more checks. for example, check that the miner will definitely not be able to make any event longer and somehow influence the expectations of other users in the protocol