elee1766
commented
2 years ago ack'd
known + opinionated
Open code423n4 opened 2 years ago
elee1766
commented
2 years ago ack'd
known + opinionated
pauliax
commented
2 years ago There is no unanimous recommendation on whether to use block numbers or timestamps. Block numbers are not accurate, but timestamps can be manipulated by miners. Wardens try to pick the low-hanging fruits here, as these issues can be submitted in both cases.
Marking this as a non-critical issue, the sponsor is aware of this.
Handle
Czar102
Vulnerability details
Impact
Expiration bases on block numbers. This makes the expiry time dependent on average block time, which may change, for example, due to a hard fork or Difficulty Bomb; the average block time doesn't need to be constant. See this for more information.
The desired expiry time may be prolonged on shortened significantly.
Proof of Concept
https://github.com/code-423n4/2021-11-fei/blob/add34324513b863f58e4ef7b3cd0c12d776dbb7f/contracts/PegExchanger.sol#L101
Recommended Mitigation Steps
Consider using
block.timestampinstead.