Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-05-AJNA-FINDINGS-ISSUES-478
HistoryMay 11, 2023 - 12:00 a.m.

Imprecise block calculation

2023-05-1100:00:00
Code4rena
github.com
2
vulnerability case
time frame
network variables
mitigation
smart contract
block time
JSON

Lines of code

Vulnerability details

Vulnerability details

Impact

        * @dev    Roughly equivalent to the number of blocks in 7 days.
        * @dev    Roughly equivalent to the number of blocks in 90 days.
        * @dev    Roughly equivalent to the number of blocks in 10 days.

As described in the NatSpec comment above these are imprecise/rough calculations of the time blocks. Although, I strongly feel that the calculations in the smart contract should be the correct amount.

File: ajna-grants/src/grants/base/StandardFunding.sol

    /**
     * @notice Length of the challengephase of the distribution period in blocks.
     * @dev    Roughly equivalent to the number of blocks in 7 days.
     * @dev    The period in which funded proposal slates can be checked in updateSlate.
     */
    uint256 internal constant CHALLENGE_PERIOD_LENGTH = 50400;

    /**
     * @notice Length of the distribution period in blocks.
     * @dev    Roughly equivalent to the number of blocks in 90 days.
     */
    uint48 internal constant DISTRIBUTION_PERIOD_LENGTH = 648000;

    /**
     * @notice Length of the funding phase of the distribution period in blocks.
     * @dev    Roughly equivalent to the number of blocks in 10 days.
     */
    uint256 internal constant FUNDING_PERIOD_LENGTH = 72000;

There are three cases:
7 days blocks:
The value of 50400 is incorrect because it corresponds to approximately 7.4 days (50400 * 15 seconds / 60 seconds / 60 minutes / 24 hours = 7.36 days). In this case, the correct value would be 40320 (which is 7 days * 24 hours * 60 minutes * 60 seconds / 15 seconds per block = 40320 blocks).
90 days blocks:
90 days * 24 hours/day * 60 minutes/hour * 60 seconds/minute / 15 seconds/block = 5,184,000 blocks.
10 days blocks:
10 days * 24 hours/day * 60 minutes/hour * 60 seconds/minute / 15 seconds/block = 57,600 blocks
If the different time frame values were chosen to account for factors such as network congestion, mining difficulty adjustments, or other variables that can affect block times it would be appropriate to specify it as a comment.

Tools Used

Manual Review

Recommended mitigation steps

Consider justifying the choice of such a rough calculation or change the code as below:

        /**
             * @notice Length of the challengephase of the distribution period in blocks.
             * @dev    Roughly equivalent to the number of blocks in 7 days.
             * @dev    The period in which funded proposal slates can be checked in updateSlate.
             */
-            uint256 internal constant CHALLENGE_PERIOD_LENGTH = 50400;
+            uint256 internal constant CHALLENGE_PERIOD_LENGTH = 40_320;


            /**
             * @notice Length of the distribution period in blocks.
             * @dev    Roughly equivalent to the number of blocks in 90 days.
             */
-            uint48 internal constant DISTRIBUTION_PERIOD_LENGTH = 648000;
+            uint48 internal constant DISTRIBUTION_PERIOD_LENGTH = 5_184_000;


            /**
             * @notice Length of the funding phase of the distribution period in blocks.
             * @dev    Roughly equivalent to the number of blocks in 10 days.
             */
-            uint256 internal constant FUNDING_PERIOD_LENGTH = 72000;
+            uint256 internal constant FUNDING_PERIOD_LENGTH = 57_600;

Assessed type

Math

The text was updated successfully, but these errors were encountered:

All reactions

JSON