search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

0xaghas - Timestamp verification flaw in _isPoolTimestampValid function #888

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xaghas

high

Timestamp verification flaw in _isPoolTimestampValid function

The _isPoolTimestampValid function has an oversight in its timestamp verification logic, resulting in potential unintended behavior when determining the validity of pool timestamps.

Vulnerability Detail

The function _isPoolTimestampValid checks the validity of the provided timestamps to ensure they follow a logical sequence. While the function verifies most timestamp conditions, it overlooks a critical condition: ensuring that the _allocationStartTime is not less than the _registrationEndTime. This means a situation can arise where allocation can start even before registration has ended, causing potential inconsistencies and disruptions in the expected workflow.

Impact

Failure to enforce the correct sequence of timestamps can lead to operational issues, user confusion, and potential misuse of the system. Specifically, users might be allocated resources before the registration period ends, which could unfairly impact late registrants.

Example:

Suppose the following timestamps are provided:

In this scenario, the allocation process begins at timestamp 1500, even though registration doesn't conclude until timestamp 2000. This overlap can lead to disruptions and discrepancies in allocation.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/donation-voting-merkle-base/DonationVotingMerkleDistributionBaseStrategy.sol#L485C4-L509C6

Tool used

Manual Review

Recommendation

Add a condition to check that _allocationStartTime is not less than _registrationEndTime.

sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, low impact