Per the info section of the "Readme":
Each basket has a publisher who can propose basket weights and composition, a license streaming fee on the basket, as well as update the publisher of that basket, all of these actions are subject to a 24 hour timelock.
The "TIMELOC_DURATION" constant (in Basket.sol) is actualy set to less than 24 hours (< 2 hours) allowing proposals to occur too quickly.
Set the TIMELOC_DURATION constant to 24 hours (1 days or the equivalent seconds) or change the code comment and documentation to reflect the actual requirement.
Handle
ye0lde
Vulnerability details
Impact
Per the info section of the "Readme": Each basket has a publisher who can propose basket weights and composition, a license streaming fee on the basket, as well as update the publisher of that basket, all of these actions are subject to a 24 hour timelock.
The "TIMELOC_DURATION" constant (in Basket.sol) is actualy set to less than 24 hours (< 2 hours) allowing proposals to occur too quickly.
Proof of Concept
The timelock requirement is documented here: https://github.com/code-423n4/2021-09-defiProtocol#readme
The timelock constant is defined here: https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L15
The timelock constant is referenced here: https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L138 https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L156 https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L174
Tools Used
Visual Studio Code
Recommended Mitigation Steps
Set the TIMELOC_DURATION constant to 24 hours (1 days or the equivalent seconds) or change the code comment and documentation to reflect the actual requirement.