Future Timestamp in lastPoolUpdateRun Causes Temp DoS in performUpdate
Summary
The InitialisePoolLastRunTime function in the contract allows an admin or authorized user to set the lastPoolUpdateRun timestamp for a pool. However, there is no validation to ensure that the provided timestamp is not in the future. If a future timestamp is mistakenly set, it will cause the performUpdate function to revert indefinitely until the blockchain’s block.timestamp catches up, leading to a Denial of Service (DoS) for pool updates.
Vulnerability Details
If lastPoolUpdateRun is set to a future timestamp, the condition in performUpdate will fail:
The subtraction block.timestamp - settings.timingSettings.lastPoolUpdateRun will result in a negative value, causing the require statement to revert indefinitely.
Impact
Pool updates will be blocked until the block.timestamp catches up to the future value of lastPoolUpdateRun.
Tools Used
Manual Review
Recommendations
Ensure _time is not in the future in the InitialisePoolLastRunTime function:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.