search

code-423n4 / 2022-03-paladin-findings

0 stars 0 forks source link

Incorrect number of seconds in `ONE_YEAR` variable #4

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L25

Vulnerability details

Impact

In HolyPaladinToken.sol the ONE_YEAR variable claims that there are 31557600 seconds in a year when this is incorrect. The ONE_YEAR variable is used in the getCurrentVotes() function as well as the getPastVotes() function so it is vital that the correct time in seconds be used as it can effect users negatively.

Proof of Concept

https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L25

86,400 seconds in a day x 365 = 31_536_000

Tools Used

Manual code review

Recommended Mitigation Steps

The correct number of seconds in a year is 31_536_000 so the ONE_YEAR variable should be changed to ONE_YEAR = 31_536_000

Kogaroshi commented 2 years ago

An incorrect value for MONTH was used, leading to all temporal constants (YEAR, max lock time, etc ...) to be incorrect. All values were fixed in: https://github.com/PaladinFinance/Paladin-Tokenomics/pull/3

heba-elhasn commented 1 year ago

Well, Acually the seconds in the year number is correct!! It is 31,557,600 sec per year since every year is 365 and a quarter. I'll put a link to wikipedia page to illustrate it. I think the developer knew this info.