`DISTRIBUTION_PERIOD_LENGTH` will not be accurate due to ethereum average block time volatility

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L40

Vulnerability details

Impact

The DISTRIBUTION_PERIOD_LENGTH value used to represent the length of a distribution period may not accurately represent 90 days. The value is currently calculated based on a fixed 12-second Ethereum block time, but Ethereum's average block time can vary over time, causing potential discrepancies between the calculated block count and actual elapsed time.

Proof of Concept

DISTRIBUTION_PERIOD_LENGTH is defined as follow:

    uint48 internal constant DISTRIBUTION_PERIOD_LENGTH = 648000;

According to the docs:

Each cycle runs for 90 days and has two stages. The first is a screening stage which runs for 80 days. The second is a funding stage which runs for 10 days.

DISTRIBUTION_PERIOD_LENGTH should represent 90 days in blocks which may differ based on this site:

Ethereum Average Block Time is at a current level of 12.12, up from 12.11 yesterday and down from 13.59 one year ago. This is a change of 0.08% from yesterday and -10.82% from one year ago.

To demonstrate this potential Risk, here is 2 scenarios based on the Highest and the Lowest block time value in the past two months:

Scenario 1: April 13, 2023(Highest block time in past two months)

• 90 days = 90 x 24 x 60 x 60 = 7_776_000 seconds
• Dividing 7_776_000 seconds by the block time of 13.23 seconds gives us:
• 7_776_000 / 13.23 = 587_755 Ethereum blocks
• The diffrence in blocks is: 60_248 Ethereum blocks
• The diffrence in days is: 9 Days

Scenario 2: May 05, 2023(Lowest block time in past two months)

• 90 days = 90 x 24 x 60 x 60 = 7_776_000 seconds
• Dividing 7_776_000 seconds by the block time of 12.09 seconds gives us:
• 7_776_000 / 12.09 = 643_176 Ethereum blocks
• The diffrence in blocks is: 4_824 Ethereum blocks
• The diffrence in hours is: 16 Hours

The NatSpec state that the value should roughly equivalent to the number of blocks in 90 days:

    /**
     * @notice Length of the distribution period in blocks.
     * @dev    Roughly equivalent to the number of blocks in 90 days.
     */
     // @audit-ok this num is based 12s block time
    uint48 internal constant DISTRIBUTION_PERIOD_LENGTH = 648000;

This scenarios may not have a big impact on the screening stage as it runs for 80 days, but it may the funding stage which only runs for 10 days.

Tools Used

Manual Review

Recommended Mitigation Steps

We recommend using the block.timestamp and Time Units instead of block.number to calculate time intervals. This approach is more reliable than using a fixed block count, which can be affected by Ethereum's average block time variability.

Assessed type

Timing

[Picodes]

The comments state [roughly](https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L38) + block time is currently fix

[c4-judge]

Picodes changed the severity to QA (Quality Assurance)

[c4-judge]

Picodes marked the issue as grade-c

[c4-judge]

Picodes marked the issue as grade-b