block timestamp manipulation can cause fees change

[code423n4]

Handle

aga7hokakological

Vulnerability details

Impact

Timestamp of the block can be manipulated by the miner which can cause change in the fees.

Proof of Concept

uint256 timeDiff = (block.timestamp - lastFee); in this line if lastFee variable is known then if miner with more computation can manipulate the timestamp which can make the difference equal to 0 which might result in variable fee to be 0.

Tools Used

Manual Analysis

Recommended Mitigation Steps

Don't use block.timestamp directly in contract.

[GalloDaSballo]

This finding would be valid if fees were related to time, but the reality is that fees are just streamed / unlocked over time. So skipping up to 15 seconds has literally no impact.

Will downgrade to low as the finding is factually correct, but there's no funds at risk