##Summary

block.timestamp in this contract is used to determine whether sufficient time has passed since the last distribution (lastDistribution), and to calculate the number of weeks pending for the distribution of points,attackers can manipulate block.timestampto their advantage,who can alter the timestamp by up to 15 seconds within the bounds of the consensus rules.

##Vulnerability Details

The distributePoints() relies on block.timestamp to manage time-based operations related to the distribution of points to users. I want to document how the key reliance on block.timestamp is :

-Timing Check: it checks if the current block.timestamp is less than lastDistribution + EPOCH_DURATION. If true, it returns early, preventing any point distribution until the specified epoch duration has passed.

-Pending Weeks Calculation: The number of epochs pending for distribution is calculated using the difference between the current block.timestamp and lastDistribution, divided by EPOCH_DURATION.

-State Updates: The lastDistribution variable is updated based on the current block.timestamp, to ensure the distribution timing is recorded for future checks.

Relevant git-hub link:https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L241

#Impact

A miner could manipulate the timestamp to gain an advantage, potentially redistributing rewards unfairly.

#Tools Used

Manual

#Recommendations

It is recommended to use block.number instead of block.timestamp. By using block.number, the block.number is utilized instead of the timestamp, making it more challenging for attackers to manipulate the timestamp. Manipulating the timestamp would require manipulating the block number as well, adding an extra layer of security.