Block.timestamp can be manipulated by miners, which causes mistakes in code logic.
Summary
RankedChoice.sol::selectPresident uses an If condition to make sure the function is called in the valid time for voting by checking this statement:
However, using block.timestamp which is vulnerable, can be manipulated by a miner to increase their chances of profiting from a logic, here by calling the selectPresident at the wrong time to destroy the logic of the election.
Vulnerability Details
The timestamp vulnerability occurs when the smart contract operates based on the block timestamp's value. The timestamp is a property generated by the node on which the smart contract is deployed, which is highly manipulable by miners.
Based on the Neptune Mutual blog:
One of the most challenging issues with blockchain technology is synchronizing the precise time between nodes due to the distributed nature of the network. However, comprehending the present time is probably inevitable during the development of smart contracts, especially as most smart contract development languages are Turing complete.
Impact
By using timestamp in the logic of the selectPresident function which has the potential to be changed, anyone can call the selectPresedent at an inappropriate time (before four year ends).
Recommendations
Avoid using block.timestamp
Use external Time Oracle: These oracles fetch real-world time and provide it to your smart contract, minimizing the risk of manipulation.
Thresholds and Confirmations: Implement thresholds and confirmation mechanisms for time-dependent actions. Require multiple blocks to confirm the passage of time before executing critical functions.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.