hats-finance / Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2

Smart contracts for the Metrom project.
GNU General Public License v3.0
0 stars 0 forks source link

Incorrect check for campaign start time #56

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xea5dd6fc6298c52cf7fac5f7ac842cc555f9047389c4fc1c89f83ee15e9737fb Severity: medium

Description: Description\

The condition if (_bundle.from <= block.timestamp) checks if the campaign start time (_bundle.from) is less than or equal to the current block timestamp. If this condition is true, it reverts the transaction with the error InvalidFrom().

if (_bundle.from <= block.timestamp) revert InvalidFrom();

https://github.com/hats-finance/Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2/blob/e9d6b1e594d5bb3694bfe68f73399156ebb5d3a4/src/Metrom.sol#L169

However, this condition is too strict because it rejects campaign start times that are exactly equal to the current block timestamp.

Since there's a yardstick for the allowed minimum and maximum campaign duration, starting a campaign at the exact block.timestamp the function is called shouldn't be considered invalid.

The check incorrectly rejects campaign start times that are equal to the current block timestamp. If _bundle.from is equal to the current block timestamp, it should be considered a valid start time for the campaign so far the campaign is within the minimum and maximum allowed durations for a campaign.

Recommendation:

The check should be if (_bundle.from < block.timestamp) revert InvalidFrom();

ololade97 commented 5 months ago

@luzzif could you please specify why it is invalid?

luzzif commented 5 months ago

I just don't see how this is a vuln. We want campaign's start timestamp to be in the future and that's why we have that check. If you can provide a PoC that demonstrates how this could be leveraged by a malicious actor I'm more than willing to reclassify this/

ololade97 commented 5 months ago

Ok, thanks.

On Wed, 5 Jun 2024, 13:20 Federico Luzzi, @.***> wrote:

I just don't see how this is a vuln. We want campaign's start timestamp to be in the future and that's why we have that check. If you can provide a PoC that demonstrates how this could be leveraged by a malicious actor I'm more than willing to reclassify this/

— Reply to this email directly, view it on GitHub https://github.com/hats-finance/Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2/issues/56#issuecomment-2149694834, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMVQ5ZTLLEARHIMD5QOBCN3ZF367DAVCNFSM6AAAAABIVH5SN6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBZGY4TIOBTGQ . You are receiving this because you commented.Message ID: <hats-finance/Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2/issues/56/2149694834 @github.com>