The function Steaking.vy::_hasStakingPeriodEnded()
determines whether the staking period has ended based on the current block's timestamp. This approach introduces potential vulnerabilities related to miner manipulation of block timestamps.
The function Steaking.vy::_hasStakingPeriodEnded()
uses the following code to check if the staking period has ended:
block.timestamp
can be manipulated by miners within a range of approximately 15 minutes into the future. This means that miners can influence the end of the staking period by adjusting the timestamp, which can result in unintended behaviour such as premature or delayed termination of the staking period.
Premature Termination: Miners may set the timestamp to a value just above self.startTimestamp + STAKING_PERIOD, causing the staking period to end earlier than intended.
Delayed Termination: Miners may set the timestamp to a value just below the intended end time, extending the staking period beyond what was originally planned.
Use Block Numbers Instead: Replace block.timestamp
with block numbers to mitigate timestamp manipulation. Assuming a 4-week staking period and an average block production time of 13-15 seconds, we can estimate the number of blocks required as follows:
For 13 Seconds per Block:
Number of Blocks ≈ 2,419,200 seconds / 13 seconds/block ≈ 186,800 blocks
For 15 Seconds per Block:
Number of Blocks ≈ 2,419,200 seconds / 15 seconds/block ≈ 161,280 blocks
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.