Submission Details
Impact:
Likelihood:
[H-5] s_earnTimer is not address specific so nobody will be able to earn Snow for a week after one address has called the earnSnow() function
[H-5] s_earnTimer is not address specific so nobody will be able to earn Snow for a week after one address has called the Snow::earnSnow() function
Description
The
Snowcontract uses a variables_earnTimerto keep track of the last time a Snow was earnedHowever, the variable is not address specific. So once
earnSnow()has been called, the function will be uncallable by anyone for a week
function earnSnow() external canFarmSnow {
@> if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer();
}
_mint(msg.sender, 1);
s_earnTimer = block.timestamp;
}
Risk
Likelihood:
Very high. Whenever someone calls the
earnSnow()for the first time in a week
Impact:
Nobody will be able to earn snow for a week after someone else has earned it once during the week
Proof of Concept
Add the following test case to the test suite of Snow
function test_lockSnow() public {
vm.prank(ashley);
snow.earnSnow();
vm.startPrank(jerry);
vm.expectRevert();
snow.earnSnow();
}
Recommended Mitigation
Make s_earnTimer user specific by turning it into a mapping of address to uint256
- uint256 private s_earnTimer;
+ mapping(address=>uint256) private s_earnTimer;
.
.
.
function earnSnow() external canFarmSnow {
if (s_earnTimer[msg.sender] != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer();
}
_mint(msg.sender, 1);
s_earnTimer[msg.sender] = block.timestamp;
}
Updates
Rewards breakdown
nSLOC
215This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.