verifyfirst
commented
3 years ago Oracles are not in our scope.
Open code423n4 opened 3 years ago
verifyfirst
commented
3 years ago Oracles are not in our scope.
SamusElderg
commented
3 years ago The values updated by _addPoolMetrics are for UI purposes and do not need to be accurate, the limited miner-manipulation potential is no cause for concern here. Non-critical.
ghoul-sol
commented
3 years ago Best practices, non-critical
loudoguno
commented
3 years ago removed invalid as per judges sheet
Handle
heiho1
Vulnerability details
Impact
Pool._addPoolMetrics(uint256) on line 334 relies on block.timestamp and is potentially vulnerable to miner manipulation. This could lead to erroneous pool metrics.
Proof of Concept
https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Pool.sol#L338
https://solidity-by-example.org/hacks/block-timestamp-manipulation/
Tools Used
Slither
Recommended Mitigation Steps
An external time oracle like ChainLink Alarm Clock is worth consideration: https://blog.chain.link/blockchain-voting-using-a-chainlink-alarm-clock-oracle/