Incorrect timestamp condition in `WithdrawalPool` functions can prevent expected execution
Summary
The checkUpkeep and performUpkeep functions in WithdrawalPool.sol are intended to ensure that withdrawals are only executed after a minimum time delay between actions, governed by the minTimeBetweenWithdrawals variable. However, the current condition checks if block.timestamp is strictly greater than (>) the sum of timeOfLastWithdrawal and minTimeBetweenWithdrawals. This logic is incorrect and could lead to unnecessary delays in withdrawal execution, as it fails to allow withdrawal exactly when the time limit is met. The correct logic should use >= instead of > to ensure that withdrawals can be performed as soon as the minimum time has passed.
Vulnerability Details
In both the checkUpkeep and performUpkeep functions, the condition checking the passage of time is as follows:
This condition requires block.timestamp to be strictly greater than the calculated time (timeOfLastWithdrawal + minTimeBetweenWithdrawals). This means that even if the time has precisely met the required delay (i.e., the timestamps are equal), the withdrawal execution would still be prevented. This could lead to unexpected delays in performing necessary withdrawals, as users may be forced to wait beyond the required minimum time.
Location of the issue:
Impact
This issue can lead to a delayed execution of withdrawals, causing inefficiencies and negative user experience.
Tools Used
Manual audit
Recommendations
Change the condition in both the checkUpkeep and performUpkeep functions to use >= instead of > when checking whether the minimum time between withdrawals has passed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.