code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L22

Vulnerability details

Impact

In Auction.sol we have MIN_AUCTION_DURATION constant:

22: uint256 public constant MIN_AUCTION_DURATION = 7200; // 24 hours

The variable is set to the value 7200, which represents the number of blocks.

The average block time in Ethereum is 12s. This means 1 block every 12 sec is 5 blocks. The auction duration for 24 hours is 5 * 60 * 24 = 7200.

But this is only true for mainnet, not for the other chains.

Proof of Concept

From the documentation we can see the Stader will be deployed on:

Polygon, Fantom, BNB, NEAR, Hedera and Terra 2.0

On Polygon average block time is around 2 seconds -> https://polygonscan.com/chart/blocktime
On Fantom is 1 second -> https://ftmscan.com/chart/blocktime
On BNB is 3 seconds -> https://ycharts.com/indicators/binance_smart_chain_average_block_time
And on the other three networks is different from 12 seconds.

As we can see minimum auction duration for 24 hours is different in each chain and is not 7200.

Tools Used

Manual Review

Recommended Mitigation Steps

Instead of hardcoding the MIN_AUCTION_DURATION value, the best idea is to set it in the initializer for each chain. By setting the minimum auction duration dynamically in the initializer, you ensure that the contract adapts to the block time of each network, making the auction duration consistent and appropriate for each specific blockchain environment.

Assessed type

Timing

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #395