Beginner FriendlyFoundryDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

Timestamp Manipulation Risk in `Steaking.vy::_hasStakingPeriodEnded()`: Vulnerability Due to Block Timestamp Dependency

Summary

The function Steaking.vy::_hasStakingPeriodEnded() determines whether the staking period has ended based on the current block's timestamp. This approach introduces potential vulnerabilities related to miner manipulation of block timestamps.

Vulnerability Details

The function Steaking.vy::_hasStakingPeriodEnded() uses the following code to check if the staking period has ended:

@internal
@view
def _hasStakingPeriodEnded() -> bool:
return block.timestamp > self.startTimestamp + STAKING_PERIOD

block.timestamp can be manipulated by miners within a range of approximately 15 minutes into the future. This means that miners can influence the end of the staking period by adjusting the timestamp, which can result in unintended behaviour such as premature or delayed termination of the staking period.

Impact

  • Premature Termination: Miners may set the timestamp to a value just above self.startTimestamp + STAKING_PERIOD, causing the staking period to end earlier than intended.

  • Delayed Termination: Miners may set the timestamp to a value just below the intended end time, extending the staking period beyond what was originally planned.

Tools Used

Recommendations

Use Block Numbers Instead: Replace block.timestamp with block numbers to mitigate timestamp manipulation. Assuming a 4-week staking period and an average block production time of 13-15 seconds, we can estimate the number of blocks required as follows:

  • For 13 Seconds per Block:
    Number of Blocks ≈ 2,419,200 seconds / 13 seconds/block ≈ 186,800 blocks

  • For 15 Seconds per Block:
    Number of Blocks ≈ 2,419,200 seconds / 15 seconds/block ≈ 161,280 blocks

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.