Vulnerabilities in Claim Period Logic of FundFlowController.sol
Github
https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/linkStaking/FundFlowController.sol
Summary
This report outlines a potential vulnerability in the smart contract concerning the claim periods associated with unbonding. The vulnerability arises from the manipulation of block timestamps, which could lead to unauthorized claims and affect the fairness of the reward distribution system.
Vulnerability Details
The vulnerability is linked to the following lines of code:
Key Issues:
Block Timestamp Manipulation: Miners can influence
block.timestamp, allowing them to claim rewards outside the intended time frame.Reentrancy Risk: If the claim function interacts with external contracts, it could be vulnerable to reentrancy attacks.
Variable Manipulation: Changing
unbondingPeriodorclaimPeriodcould create unfair advantages for certain users.
Impact
The identified vulnerabilities could lead to:
Unauthorized Claims: Attackers may exploit the claim mechanism to receive rewards prematurely or deny legitimate claims.
Financial Losses: Users may face financial harm due to the exploitation of the contract, eroding trust in the system.
System Integrity Risks: Compromised fairness in reward distribution could diminish user confidence in the contract.
Tools Used
Manual Code Review
Recommendations
Use block numbers in conjunction with timestamps to reduce reliance on
block.timestamp.Apply the Checks-Effects-Interactions pattern to prevent reentrancy vulnerabilities.
Limit changes to
unbondingPeriodandclaimPeriodthrough governance mechanisms or make them immutable.Add events to log claims and state changes for better transparency and accountability.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.