Deivitto - `block.timestamp` used as time proxy

[sherlock-admin]

Deivitto

low

block.timestamp used as time proxy

Summary

Risk of using block.timestamp for time should be considered.

Vulnerability Detail

SWC ID: 116

Impact

block.timestamp is not an ideal proxy for time because of issues with synchronization, miner manipulation and changing block times.

This kind of issue may affect the code allowing or reverting the code before the expected deadline, modifying the normal functioning or reverting sometimes.

Code Snippet

https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L386 require(block.timestamp < order.expiry, "EXPIRED_CONTRACT");

https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L426 require(block.timestamp > order.expiry, "NOT_EXPIRED_CONTRACT");

https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L739 require(order.validity > block.timestamp, "EXPIRED_VALIDITY_TIME");

https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L789 require(block.timestamp < order.expiry, "CONTRACT_EXPIRED");

https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L799 require(block.timestamp >= sellOrder.start, "INVALID_START_TIME");

https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L802 require(block.timestamp <= sellOrder.end, "SELL_ORDER_EXPIRED");

Tool used

Manual Review

Recommendation

• Consider the risk of using block.timestamp as time proxy and evaluate if block numbers can be used as an approximation for the application logic. Both have risks that need to be factored in.
• Consider using an oracle for precision