Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-POOLTOGETHER-FINDINGS-ISSUES-129
HistoryAug 07, 2023 - 12:00 a.m.

the _rngCompletedAt timestamp passed to rngComplete() can be manipulated by the caller to increase their reward

2023-08-0700:00:00
Code4rena
github.com
5
timestamp manipulation
reward fraction
unfair claim
mitigation steps
JSON

Lines of code
<https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L137&gt;
<https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L139&gt;
<https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L142&gt;

Vulnerability details

Impact

This will result in a larger reward fraction, allowing the caller to unfairly claim more of the rewards.

Proof of Concept

The _rngCompletedAt timestamp is controlled by the caller. They can make _auctionElapsedSeconds smaller by providing a higher _rngCompletedAt to increase their reward fraction.
For example, if the real RNG completion time was 1 hour ago, they could pass a _rngCompletedAt of 30 mins ago. This makes the _auctionElapsedSeconds smaller, so the reward fraction will be higher

Tools Used

Manual

Recommended Mitigation Steps

Use block.timestamp instead of relying on the passed _rngCompletedAt

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON