Submission Details
Severity:
`Pot::closePot()` uses timestamp for comparisons risking the contract to be vulnerable to attackers.
Summary
Dangerous usage of block.timestamp. block.timestamp can be manipulated by miners.
Vulnerability Details
constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
.
.
.
i_deployedAt = block.timestamp;
function closePot() external onlyOwner {
if (block.timestamp - i_deployedAt < 90 days) {
revert Pot__StillOpenForClaim();
}
Impact
This could potentially allow attackers to influence the timing of the closePot() function execution.
Tools Used
Slither
Recommendations
// Store the block number at deployment
uint256 private immutable i_deployedBlock;
// Constructor modification
constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
.
.
.
- i_deployedAt = block.timestamp;
+ i_deployedBlock = block.number; // Record the deployment block
+ for (uint256 i = 0; i < i_players.length; i++) {
+ playersToRewards[i_players[i]] = i_rewards[i];
+ }
}
// Modify closePot() to use block numbers
function closePot() external onlyOwner {
- if (block.timestamp - i_deployedAt < 90 days) {
- revert Pot__StillOpenForClaim();
- }
+ uint256 blocksPassed = block.number - i_deployedBlock;
+ uint256 requiredBlocks = 518400; // Approximate number of blocks for
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.