On Arbitrum, `block.timestamp` can be off by 24 hours, allowing players to make predictions after the specified time window with correct results.
Description:
According to Arbitrum's documentation^[https://docs.arbitrum.io/build-decentralized-apps/arbitrum-vs-ethereum/block-numbers-and-time#timestamp-boundaries-of-the-sequencer], a sequencer has the capability to adjust timestamps, allowing them to be set up to 24 hours earlier or 1 hour later than the actual time. This means that block.timestamp values on Arbitrum may deviate by as much as 24 hours from the real time.
Impact:
The time that the ThePredicter::makePrediction and ScoreBoard::setPrediction functions can be called can potentially shifts beyond the intended time period (until 19:00:00 UTC on the day of the match) up to 24 hours earlier. This could enable Players to set a new predictions right after the game concludes (with the correct results, since they would already know the outcome). This would allow them to gain score points and secure more rewards once the tournament ends.
Likelihood: Low / Impact: High, resulting in an overall risk level of Medium.
Tools Used:
VSCode, manual review
Recommended Mitigation:
Use an off-chain source (for instance Chainlink's Time Based Upkeeps) to limit functions based on time.
Lead Judging Commences
block.timestamp on Arbitrum
It would be possible to make a prediction for an ongoing or already finished match if the Arbitrum timestamps deviate according to what the Arbitrum docs states as possible.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.