frank-beard
commented
2 years ago this refers to the block number not the timestamp
Closed code423n4 closed 2 years ago
frank-beard
commented
2 years ago this refers to the block number not the timestamp
GalloDaSballo
commented
2 years ago See #126
Handle
ye0lde
Vulnerability details
Impact
Per the info section of the "Readme": Each basket has a publisher who can propose basket weights and composition, a license streaming fee on the basket, as well as update the publisher of that basket, all of these actions are subject to a 24 hour timelock.
The "TIMELOC_DURATION" constant (in Basket.sol) is actualy set to less than 24 hours (< 2 hours) allowing proposals to occur too quickly.
Proof of Concept
The timelock requirement is documented here: https://github.com/code-423n4/2021-09-defiProtocol#readme
The timelock constant is defined here: https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L15
The timelock constant is referenced here: https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L138 https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L156 https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L174
Tools Used
Visual Studio Code
Recommended Mitigation Steps
Set the TIMELOC_DURATION constant to 24 hours (1 days or the equivalent seconds) or change the code comment and documentation to reflect the actual requirement.