c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L193
Vulnerability details
DESCRIPTION
Contract BranchPort contains a potential vulnerability related to timestamp manipulation. The vulnerability allows an attacker to bypass the time limit imposed on certain operations within the contract.
The vulnerability exists in the _checkTimeLimit function, which is called during the manage function. The _checkTimeLimit function checks if a Port Strategy has reached its daily management limit by comparing the current timestamp (block.timestamp) with the last time the strategy managed a specific token (lastManaged[msg.sender][_token]). However, this check can be bypassed if an attacker manipulates the block timestamp
Impact
By manipulating the block timestamp, an attacker can repeatedly call the manage function within a short time frame, exceeding the daily management limit for a specific token. This can lead to undesired behavior and potential financial losses for the contract and its users.
Proof of Concept
Deploy the BranchPort contract on a blockchain testing environment that supports timestamp manipulation, such as Ganache.
In the testing environment, you can manipulate the block timestamp using a command like evm_mine to simulate a shorter time duration than the actual 24 hours. Let's assume the current block timestamp is 1654000000 (UNIX timestamp), and we want to set the timestamp to 1654000010, just 10 seconds after the current timestamp. You can use the following command:
web3.currentProvider.send({ jsonrpc: '2.0', method: 'evm_mine', params: [1654000010], id: 0 });
After manipulating the block timestamp, we can call the manage function multiple times within a short time frame, bypassing the time limit. Make sure to exceed the daily management limit for a specific token. Here's an how we can call the function:
// Assuming the contract address is stored in the variable 'contractAddress' // Assuming 'tokenAddress' is the address of the token you want to manage
// Call the
managefunction repeatedly within a short time frame for (let i = 0; i < 5; i++) { // Make sure to exceed the daily management limit by passing the desired amount await contractAddress.manage(tokenAddress, 100); }By following these steps, we can verify the vulnerability by manipulating the block timestamp and observing the impact on the contract's behavior.
Tools Used
web3.js
Recommended Mitigation Steps
To mitigate the vulnerability, it is recommended to use a more robust mechanism for time tracking and limit enforcement. Here are some suggested improvements:
Instead of relying solely on the block timestamp, consider using a more reliable time source, such as an external oracle or a decentralized timestamp service.
Implement stricter validation checks to ensure that the time limits are enforced accurately, even in the presence of timestamp manipulation.
Consider implementing a sliding time window approach to track the time limit, allowing a fixed number of operations within a rolling 24-hour period, rather than using a fixed daily limit based on the timestamp.
Perform comprehensive testing, including both unit tests and integration tests, to ensure the correctness and effectiveness of the time limit enforcement mechanism.
Assessed type
Timing