Inconsistent timestamp storage when the LPNFT is transferred.
Summary
In the afterUpdate function of the UpliftOnlyExample contract, during NFT transfers, the blockTimestampDeposit is incorrectly set using block.number instead of block.timestamp, which is inconsistent with how it's set during initial deposits. This creates an invalid timestamp record.
Vulnerability Details
In addLiquidityProportional(), when creating new FeeData entries, blockTimestampDeposit is set to block.timestamp:
However, in afterUpdate() when transferring LPNFTs, it incorrectly uses block.number instead:
This creates an inconsistency where:
Original deposits store Unix timestamps (seconds since epoch)
Transferred positions store block numbers
The field type is uint40 but block.number is cast to uint32
Impact
Although currently the value of blockTimestampDeposit is not used in any calculations, still users will get a wrong (inconsistent) time recorded on chain in case they transfer the LPNFT to another address.
Tools Used
Manual code review
Recommendations
Be consistent with using block.timestamp in the function afterUpdate.
Lead Judging Commences
finding_afterUpdate_blockNumber_instead_of_timestamp
Likelihood: Medium/High, any NFT transfer will change this variable. Impact: Informational/Very Low. This variable is unused and won’t impact anything, but the array is public and its getter will return a variable with inconsistencies.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.