code423n4 commented 3 years ago

Handle

0xsanson

Vulnerability details

Impact

In Auction.sol, the state variable bondTimestamp should be called something like bondBlocknumber since it saves the block.number and not timestamp. It's possible that this may lead to issues if in the future the code is upgraded/forked and some new developers don't pay attention to the correct meaning of the variables.

Proof of Concept

https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Auction.sol#L58

Tools Used

editor

Recommended Mitigation Steps

Consider renaming the variable as suggested.

frank-beard commented 2 years ago

not an exploit

GalloDaSballo commented 2 years ago

Agree with finding, non-critical

code-423n4 / 2021-09-defiprotocol-findings