code-423n4 / 2021-07-spartan-findings

0 stars 0 forks source link

Router.revenueDetails(uint256,address) potentially vulnerable to miner manipulation #194

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

heiho1

Vulnerability details

Impact

Router.revenueDetails(uint256,address) uses block.timestamp to calculate revenue

Proof of Concept

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L312

Tools Used

Slither

Recommended Mitigation Steps

An external time oracle like ChainLink Alarm Clock is worth consideration: https://blog.chain.link/blockchain-voting-using-a-chainlink-alarm-clock-oracle/

SamusElderg commented 3 years ago

The values updated by revenueDetails are for UI purposes and do not need to be accurate, the limited miner-manipulation potential is no cause for concern here. Non-critical.

ghoul-sol commented 3 years ago

Per sponsor comment, non-critical