Starknet Auction

First Flight #26

Beginner FriendlyNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Relying on `block.timestamp` as a parameter to determine the end of the bit period in the protocol is a weak approach.

eth0x

Summary

In the protocol, block.timestamp is used to check the end of the bidding period.

Vulnerability Details

In the start function is code decicated for set the bidding_endvariable. This variable sets end of bidding period in the protocol.

let time = get_block_timestamp();

let bidding_end = time + bidding_duration;

Next, this variable is used in the end function to determine the conclusion of the bidding period.

assert(time >= self.bidding_end.read(), 'Auction is not yet ended');

block.timestamp is bad approach to check end of the bidding period. For details behind this vulnerability pleas check https://solidity-by-example.org/hacks/block-timestamp-manipulation/

POC

function testManipulateTimestamp() public {

yourContract.startAuction(/* parameters */);

uint256 newTimestamp = block.timestamp + 15;

vm.warp(newTimestamp); // @audit Manipulate block.timestamp

yourContract.endAuction();

}

Impact

The validator provider can modify block.timestamp, creating a potential weakness in the protocol. And as a result, this can break the protocol.

Tools Used

manual review

Recommendations

A better approach is to use modifiers for functions or boolean flags to lock or unlock the protocol. This adds a layer of control and security, reducing the risk of timestamp manipulation and enhancing the protocol’s integrity.

#[storage]

struct Storage {

open_bit_period: bool

...

}

fn start(ref self: ContractState, bidding_duration: u64, starting_bid: u64) {

self.open_bit_period.write(true);

}

fn withdraw(ref self: ContractState) {

assert(!self.open_bit_period.read(), 'Auction is not ended');

...

}

fn end(ref self: ContractState) {

assert(!self.open_bit_period.read(), 'Auction is not ended');

...

}

Updates

Lead Judging Commences

bube Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

132

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.