Summary

The function Steaking.vy::_hasStakingPeriodEnded() determines whether the staking period has ended based on the current block's timestamp. This approach introduces potential vulnerabilities related to miner manipulation of block timestamps.

Vulnerability Details

The function Steaking.vy::_hasStakingPeriodEnded() uses the following code to check if the staking period has ended:

block.timestamp can be manipulated by miners within a range of approximately 15 minutes into the future. This means that miners can influence the end of the staking period by adjusting the timestamp, which can result in unintended behaviour such as premature or delayed termination of the staking period.

Impact

• Premature Termination: Miners may set the timestamp to a value just above self.startTimestamp + STAKING_PERIOD, causing the staking period to end earlier than intended.

• Delayed Termination: Miners may set the timestamp to a value just below the intended end time, extending the staking period beyond what was originally planned.

Tools Used

Recommendations

Use Block Numbers Instead: Replace block.timestamp with block numbers to mitigate timestamp manipulation. Assuming a 4-week staking period and an average block production time of 13-15 seconds, we can estimate the number of blocks required as follows:

• For 13 Seconds per Block:
  Number of Blocks ≈ 2,419,200 seconds / 13 seconds/block ≈ 186,800 blocks

• For 15 Seconds per Block:
  Number of Blocks ≈ 2,419,200 seconds / 15 seconds/block ≈ 161,280 blocks