Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing Time Delay Between Commit and Apply Operations

hamadiftikhar

Summary

The IBlockHashRetain.vyi interface lacks a mandatory time delay between commit and apply operations,which requires protection against get-or-create pattern vulnerabilities.

Vulnerability Details

The current implementation allows immediate application after commitment:

@external

def commit() -> uint256:

"""

@notice Commit (and apply) a block hash/state root.

@dev Same as `apply()` but saves committer

"""

...

@external

def apply() -> uint256:

"""

@notice Apply a block hash/state root.

"""

...

Critical issues:

No minimum waiting period between commit and apply
Both operations can occur in the same block
No timestamp validation
Allows instant finalization of potentially manipulated data

Impact

Manipulation of oracle data through rapid commit-apply sequences
No time for validators to verify committed values
Potential price manipulation in dependent protocols
Bypass of intended security checks

Tools Used

Manual Review

Recommendations

Implement mandatory timelock:

MINIMUM_DELAY: constant(uint256) = 3600 # 1 hour delay

struct Commitment:

timestamp: uint256

block_number: uint256

is_applied: bool

commitment_data: public(HashMap[address, Commitment])

@external

def commit(_block_number: uint256) -> bool:

"""

@notice Commit a block hash with timelock

"""

self.commitment_data[msg.sender] = Commitment({

timestamp: block.timestamp,

block_number: _block_number,

is_applied: False

})

return True

@external

def apply() -> bool:

"""

@notice Apply after timelock expires

"""

assert block.timestamp >= self.commitment_data[msg.sender].timestamp + MINIMUM_DELAY, "Timelock not expired"

assert not self.commitment_data[msg.sender].is_applied, "Already applied"

self.commitment_data[msg.sender].is_applied = True

return True

Add emergency pause mechanism:

@external

def emergency_pause():

"""

@notice Emergency pause for suspicious activity

"""

assert msg.sender == self.admin, "Not admin"

self.paused = True

This ensures adequate time for validation and prevents rapid manipulation attempts while maintaining protocol security.

Updates

Lead Judging Commences

0xnevi Lead Judge

6 months ago

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.