search

code-423n4 / 2021-07-spartan-findings

0 stars 0 forks source link

Pool._addPoolMetrics(uint256) potentially subject to miner manipulation #205

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

heiho1

Vulnerability details

Impact

Pool._addPoolMetrics(uint256) on line 338 is potentially subject to miner manipulation due to a reliance for time comparison against block.timestamp.

Proof of Concept

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Pool.sol#L338

https://solidity-by-example.org/hacks/block-timestamp-manipulation/

Tools Used

Slither

Recommended Mitigation Steps

An external time oracle like ChainLink Alarm Clock is worth consideration: https://blog.chain.link/blockchain-voting-using-a-chainlink-alarm-clock-oracle/

SamusElderg commented 3 years ago

The values updated by _addPoolMetrics are for UI purposes and do not need to be accurate, the limited miner-manipulation potential is no cause for concern here. Non-critical.

SamusElderg commented 3 years ago

Duplicate of #201

ghoul-sol commented 3 years ago

Non-critical