search

code-423n4 / 2023-06-stader-findings

1 stars 1 forks source link

Bid endBlock not properly set or Auction time can be changed during the block time (12s) #353

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L22

Vulnerability details

Impact

In this part of the code it says 24 hours for 7200, which probably multiplied 12 (as block time) and the result would be 86400 seconds for exact 12 seconds for a block time. However, as we can see here a block time is never 12 seconds even sometimes it peaks to 13 seconds. So, for 8 block there is always 1 additional second.

    uint256 public constant MIN_AUCTION_DURATION = 7200; // 24 hours

This cause the auction time to open to change. It is not guaranteed to be 12 seconds exact for a block.

Tools Used

Manual review

Recommended Mitigation Steps

Either contract must tell the user the auction time is not exactly 24 hours or should use block.timestamp for the proper date cheking.

Assessed type

Other

c4-judge commented 1 year ago

Picodes changed the severity to QA (Quality Assurance)