QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Valid

Block number used instead of timestamp when processing NFT transfer

goran

Summary

In UpliftOnlyExample contract the FeeData struct uses a field named blockTimestampDeposit which is intended to store timestamps. But during NFT transfers, the contract incorrectly stores block number in this field.

Vulnerability Details

Contract UpliftOnlyExample uses following struct to keep track of deposits:

struct FeeData {

uint256 tokenID;

uint256 amount;

uint256 lpTokenDepositValue;

uint40 blockTimestampDeposit; // Field name indicates timestamp

uint64 upliftFeeBps;

}

In addLiquidityProportional contract stores the current timestamp as expected:

poolsFeeData[pool][msg.sender].push(

FeeData({

tokenID: tokenID,

amount: exactBptAmountOut,

//this rounding favours the LP

lpTokenDepositValue: depositValue,

//known use of timestamp, caveats are known.

blockTimestampDeposit: uint40(block.timestamp), // @audit timestamp correctly stored

upliftFeeBps: upliftFeeBps

})

);

However in afterUpdate contract will incorrectly store block number instead of timestamp:

feeDataArray[tokenIdIndex].blockTimestampDeposit = uint32(block.number);

Additional issues:

Not only wrong type of value (block number vs timestamp), but also wrong size cast:
- Field is uint40
- Cast is to uint32
The field name blockTimestampDeposit is misleading given it sometimes stores block numbers

Impact

Since field blockTimestampDeposit is not used in UpliftOnlyExample (apart from being stored), this is low severity. However it can negatively impact any other contract which is integrating with UpliftOnlyExample.

Tools Used

Manual review

Recommendations

Be consistent with timestamp usage.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_afterUpdate_blockNumber_instead_of_timestamp

Likelihood: Medium/High, any NFT transfer will change this variable. Impact: Informational/Very Low. This variable is unused and won’t impact anything, but the array is public and its getter will return a variable with inconsistencies.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.