MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Block timestamp manipulation affects when the pot can be closed

0xwhyzee

Summary

The owner is allowed to close the pot 90 days after it was created. However, the pot is vulnerable to block timestamp manipulation upon deployment of the Pot contract.

Vulnerability Details

The vulnerability lies in line 28 of the Pot contract.

The variable i_deployedAt intends to store the timestamp when the Pot contract is deployed. A malicious miner can manipulate the timestamp of the block in which the contract deployment's transaction is mined, causing i_deployedAt to be set to a future timestamp.

Impact

The vulnerability would lead to an unexpected behavior when the pot cannot be closed 90 days after the Pot contract is deployed, and can only be closed at a future timestamp.

Tools Used

Foundry, manual review

Recommended Mitigation

To mitigate this vulnerability, the Pot contract should use the timestamp of a reliable and trusted external oracle and set it as the deployed time.

Updates

Lead Judging Commences

equious Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.