Open code423n4 opened 2 years ago
this is the block number time diff, not the timestamp
Downgrading the finding to non-critical, however notice that the average block time for ethereum is 13 seconds: https://ycharts.com/indicators/ethereum_average_block_time
So technically your 4
would be something like 4.6
Handle
ye0lde
Vulnerability details
Impact
Per the info section of the "Readme": If an auction has not been settled after being bonded within 24 hours, the bond can be burned and the auction will need to be started again.
The "ONE_DAY" constant (in Auction.sol) is actually set to less than 24 hours (< 2 hours) allowing bonds to be burned too quickly. I'll refer to this constant as the "settle time limit" below.
Proof of Concept
The "settle time" requirement is documented here: https://github.com/code-423n4/2021-09-defiProtocol#readme
The "ONE_DAY" constant used for the "settle time limit" is defined here: https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L13
The "ONE_DAY" constant used for the "settle time limit" is referenced here:
Burning - https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L114
Settling - (you can also not "settle" the auction if the "settle time limit" is exceeded. https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L78
Tools Used
Visual Studio Code
Recommended Mitigation Steps
Rename the "ONE_DAY" constant to something less confusing. For example, "SETTLE_TIME_LIMIT".
Set the renamed constant to 24 hours (1 days or the equivalent seconds) or change the documentation to reflect the actual requirement.