search

code-423n4 / 2022-06-canto-findings

0 stars 0 forks source link

_update function on deployment time isnt actually going to be 30 minutes and you can bypass it #282

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/Plex-Engineer/stableswap/blob/489d010eb99a0885139b2d5ed5a2d826838cc5f9/contracts/BaseV1-core.sol#L164

Vulnerability details

Because timeElapsed = blocktimestamp , on deployment block.timestamp -point.timestamp it can be zero if some calls it right after deployment And block.timestamp > 1800 which is true even though its not a pass 30 minutes

mitigation

have check that updated block.timestamp in that funcion but fix update then it should get better but try to make block.timestamp in to a var so it has time in the function to be behind

GalloDaSballo commented 2 years ago

On deployment one observation will be set with block.timestamp as it's time.

In the example shown by the warden (no time has passed), then the code will skip adding a new observation.

In lack of a POC, am closing as invalid