Open code423n4 opened 1 year ago
The comments state [roughly](https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L38)
+ block time is currently fix
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-c
Picodes marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L40
Vulnerability details
Impact
The
DISTRIBUTION_PERIOD_LENGTH
value used to represent the length of a distribution period may not accurately represent 90 days. The value is currently calculated based on a fixed 12-second Ethereum block time, but Ethereum's average block time can vary over time, causing potential discrepancies between the calculated block count and actual elapsed time.Proof of Concept
DISTRIBUTION_PERIOD_LENGTH
is defined as follow:According to the docs:
DISTRIBUTION_PERIOD_LENGTH
should represent90 days
in blocks which may differ based on this site:To demonstrate this potential Risk, here is 2 scenarios based on the Highest and the Lowest block time value in the past two months:
Scenario 1: April 13, 2023(Highest block time in past two months)
Scenario 2: May 05, 2023(Lowest block time in past two months)
The NatSpec state that the value should roughly equivalent to the number of blocks in 90 days:
This scenarios may not have a big impact on the screening stage as it runs for 80 days, but it may the funding stage which only runs for 10 days.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend using the
block.timestamp
andTime Units
instead ofblock.numbe
r to calculate time intervals. This approach is more reliable than using a fixed block count, which can be affected by Ethereum's average block time variability.Assessed type
Timing