solvetony
commented
2 years ago Duplicate of #149 (solution from 149 already includes the fix)
Closed code423n4 closed 2 years ago
solvetony
commented
2 years ago Duplicate of #149 (solution from 149 already includes the fix)
GalloDaSballo
commented
2 years ago The warden seems to be saying that locks will be following a schedule, that is the exact goal of
uint256 unlockInWeeks = (unlockAt / WEEK) * WEEK;
It uses the first division to distribute unlock periods into specific times that are divisible by WEEK.
I highly recommend the Warden to spend a few extra minutes to format their submissions (a simple Visual Studio Code Preview would work, or just create an issue on a Test Repo on Github)
Given the information I have I think the finding is invalid
Lines of code
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L103
Vulnerability details
uint256 unlockAt = block.timestamp + maxTime; unlock uninweeks can have precision issues because no floating point variables in solidity so if unlockat is 10.32 is 10 /week 3 it will 3 3 =9 instead of almost 4 weeks so users can unlock before the time they actually wanted to lock , multiplication before can be frontun in the next function when the price is before the intrest and miners can manipulate block.timestamp by 900 second so if before that they lets say a miner wants to stake for 900 seconds less because of staking for more interest or 900 less because in mempool there is tx that hurts there stake hey can shorten the time of stake and they can take advantage and not fair to users uint256 unlockInWeeks = (unlockAt / WEEK) WEEK;