Wrong time calculating in proposeOffboard()

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOffboarding.sol#L89-L97
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOffboarding.sol#L116-L123

Vulnerability details

Impact

In LendingTermOffboarding contract, users could call proposeOffboard() function, but they could do it, if current block.number is greater than time from mapping lastPollBlock[term] plus constant value , which stored in POLL_DURATION_BLOCKS.

    function proposeOffboard(address term) external whenNotPaused {
         ...
        require(
            block.number > lastPollBlock[term] + POLL_DURATION_BLOCKS,
            "LendingTermOffboarding: poll active"
        );

There problem is, that project will be deployed on different blockchains, such as ethereum and arbitrum. In these chains there are different time of mining new blocks. Values vary greatly.
In arbitrum minting blocks is more faster, that in ethereum, so users could call proposeOffboard() after lastPollBlock[term] + ~7 days ( 13s/block), but in arbitrum: lastPollBlock[term] + ~1 day ( 2s/block)

The same problem there is in function supportOffboard().

    function supportOffboard(
        uint256 snapshotBlock,
        address term
    ) external whenNotPaused {
        require(
            block.number <= snapshotBlock + POLL_DURATION_BLOCKS,
            "LendingTermOffboarding: poll expired"
        );

Users will have shorter period for supporting on arbitrum network, than in ethereum.

Proof of Concept

You can see minting block times on https://etherscan.io/ for ethereum and on https://arbiscan.io/ for arbutrum.

Tools Used

Manual review

Recommended Mitigation Steps

Make the constant a variable. Set value in constructor, because this value will be different for each blockchain

Assessed type

Invalid Validation

[c4-pre-sort]

0xSorryNotSorry marked the issue as sufficient quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #816

[c4-judge]

Trumpero changed the severity to QA (Quality Assurance)

[c4-judge]

Trumpero marked the issue as grade-b

[c4-judge]

Trumpero marked the issue as grade-c

[SovaSlava]

Hello @Trumpero !
Why this issue has grade-c, while other issues with such duplicate have grade-a/grade-b?

[Trumpero]

If issues are downgraded to be a QA, they will be included in the QA report of the warden. They will still be counted even when the warden doesn't submit a QA report. Each judge has a different evaluation system to assign QA points. In my system, it's 5 points for low severity and 1 point for refactor/NC. Since this low issue is your only issue, your total QA points is 5, resulting in a grade-c. Therefore, all of your QA-report issues will be marked as grade-c.
In my evaluation of this contest, you need to score more than 50% compared to the best QA report to achieve a grade-b. For grade-a, the threshold is 75%.