First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Error in Start Time of the Protocol

emma77

Summary

From the documentation the start time/date, uint256 private constant START_TIME of the protocol Thursday, Aug 15, 2024, 20:00:00 GMT+0000 is 1723752000. This is an error. The correct start/date, uint256 private constant START_TIME of the protocol Thursday, Aug 15, 2024, 20:00:00 GMT+0000 is 723748400

Vulnerability Details

The ScoreBoard::START_TIME & ThePredicter::START_TIME are not correct, this would cause a delay in the start time of the protocol. This would cause denial of service. The correct Unix timestamp for Thursday, Aug 15, 2024, 20:00:00 GMT+0000 is 1723748400. From the code base the ScoreBoard::START_TIME & ThePredicter::START_TIME is set at as 1723752000 for the Unix timestamp for "Thursday, Aug 15, 2024, 20:00:00 GMT+0000". There is an error in the Unix timestamp for "Thursday, Aug 15, 2024, 20:00:00 GMT+0000". 1723752000 != 1723748400.

PoC

// Thu Aug 15 2024 20:00:00 GMT+0000

const year = 2024;

const month = 8; // Months are 0-indexed in JavaScript (January is 0)

const day = 15;

const hour = 20;

const minute = 0;

const second = 0;

// Create a JavaScript Date object

const date_time = new Date(year, month - 1, day, hour, minute, second);

// Get the Unix timestamp (milliseconds since epoch)

const unix_timestamp = date_time.getTime() / 1000;

// Print the timestamp (cast to integer for consistency with Python)

console.log(Math.floor(unix_timestamp));

Run the javascript code. Save the file in date.js. On the terminal run node date.js The output is 1723748400. 1723748400 is the correct ScoreBoard::START_TIME & ThePredicter::START_TIME

Impact

There would be a delay in the start time of the protocol. This would cost DoS. ScoreBoard::setPrediction, ThePredicter::makePrediction & ThePredicter::register function and all functions that require START_TIME would be executed with wrong timing. Malicious players can make predictions after the game has elapsed to have accurate predictions.

Tools Used

Manual Code Review

Recommendations

The corrcet ScoreBoard::START_TIME & ThePredicter::START_TIME, uint256 private constant START_TIME = 1723748400 ; // Thu Aug 15 2024 20:00:00 GMT+0000 should be used and NOT uint256 private constant START_TIME = 1723752000 // Thu Aug 15 2024 20:00:00 GMT+0000- uint256 private

- uint256 private constant START_TIME = 1723752000; // Thu Aug 15 2024 20:00:00 GMT+0000

+ uint256 private constant START_TIME = 1723748400; // Thu Aug 15 2024 20:00:00 GMT+0000

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.