Submission Details
Severity:
No check for _marketParametrs.timestamp = block.timestamp in Swan initializa function
Summary
It is one of the main invariants of the protocol that in every marketParametrs creation contract must do this: _marketParametrs.timestamp = block.timestamp
Function setMarketParametrs implement this behaviour
function setMarketParameters(SwanMarketParameters memory _marketParameters) external onlyOwner {
require(_marketParameters.platformFee <= 100, "Platform fee cannot exceed 100%");
_marketParameters.timestamp = block.timestamp;
marketParameters.push(_marketParameters);
}
But this behavior is not implemented for first marketParametr in initialization
function initialize(
SwanMarketParameters calldata _marketParameters,
LLMOracleTaskParameters calldata _oracleParameters,
// contracts
address _coordinator,
address _token,
address _buyerAgentFactory,
address _swanAssetFactory
) public initializer {
__Ownable_init(msg.sender);
require(_marketParameters.platformFee <= 100, "Platform fee cannot exceed 100%");
// market & oracle parameters
marketParameters.push(_marketParameters);
oracleParameters = _oracleParameters;
// contracts
coordinator = LLMOracleCoordinator(_coordinator);
token = ERC20(_token);
buyerAgentFactory = BuyerAgentFactory(_buyerAgentFactory);
swanAssetFactory = SwanAssetFactory(_swanAssetFactory);
// swan is an operator
isOperator[address(this)] = true;
// owner is an operator
isOperator[msg.sender] = true;
}
Impact
The protocol can only suffer damage if it initializes incorrectly and does not put timestamp on block.timestamp, so severity = low
Tools Used
Manual Review
Recommendations
Add _marketParameters.timestamp = block.timestamp;to initialization function
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.