Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block time is not the same on different chains #826

Closed
c4-bot-4 opened this issue Dec 28, 2023 · 9 comments
Closed

Block time is not the same on different chains #826

c4-bot-4 opened this issue Dec 28, 2023 · 9 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-816 edited-by-warden grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-4
Copy link
Contributor

c4-bot-4 commented Dec 28, 2023
edited by c4-bot-10
Loading

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L36
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L116
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/tokens/ERC20MultiVotes.sol#L374
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L95

Vulnerability details

Summary

Block time refers to the time a block is mined in. The average block time in Ethereum is 12s, but this value is different on different chains.
hardcoded time values dependent on the block.number could break major things on other chains.
As protocol has mentioned in the contest readme we anticipate launching on Ethereum mainnet & L2s like Arbitrum

Impact

All hardcoded timePeriod will not work correctly on Arbitrum as expected

Proof of Concept

block.number is NOT a reliable source of timing information for short-terms
On Arbitrum it reflects the L1 block number, which is updated once per minute even according the doc this can be updated multiple times per L1 block (this lets the sequencer give sub-L1-block-time transaction receipts.)
Once per minute, the block number in the Sequencer is synced to the actual L1 block number. This period could be abused to do many malicious actions
eg from the Governance where a user can vote even deadline is passed
All block.number based calculations can be exploited in multiple ways i.e( H/M/L)

    function supportOffboard(
        uint256 snapshotBlock,
        address term
    ) external whenNotPaused {
        require(
            block.number <= snapshotBlock + POLL_DURATION_BLOCKS,
            "LendingTermOffboarding: poll expired"
        );
        uint256 _weight = polls[snapshotBlock][term];
        require(_weight != 0, "LendingTermOffboarding: poll not found");
        uint256 userWeight = GuildToken(guildToken).getPastVotes(
            msg.sender,
            snapshotBlock
        );
        require(userWeight != 0, "LendingTermOffboarding: zero weight");
        require(
            userPollVotes[msg.sender][snapshotBlock][term] == 0,
            "LendingTermOffboarding: already voted"
        );

        userPollVotes[msg.sender][snapshotBlock][term] = userWeight;
        polls[snapshotBlock][term] = _weight + userWeight;
        if (_weight + userWeight >= quorum) {
            canOffboard[term] = true;
        }
        emit OffboardSupport(
            block.timestamp,
            term,
            snapshotBlock,
            msg.sender,
            userWeight
        );
    }

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L36
Here block.number<=snapshotBlock + POLL_DURATION_BLOCKS can be bypassed easily due to the different behaviour of block.number in arbitrum i.e A user could vote 1 arbitrum block before the sync happens and close it the very next block. It would appear that there have been 5 blocks since the last transaction but in reality, it has only been 1 Arbitrum block.
Also, Arbitrum has 2 seconds blocks It would be impossible to block this behavior through param changes

In many places time is used based on the number of blocks which will also create critical issues like manipulating the auction mechanism, voting time period etc

Tools Used

Manual

Recommended Mitigation Steps

block.number is not a trusted source of time instead it's better to use block.timestamps in all such places

Assessed type

Other
@c4-bot-4 c4-bot-4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 28, 2023
c4-bot-1 added a commit that referenced this issue Dec 28, 2023
@c4-bot-1
whitehat-boys issue #826
147351d
@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Dec 29, 2023
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as sufficient quality report

@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #1012

@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #816

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jan 24, 2024
@c4-judge
Copy link
Contributor

Trumpero changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

Trumpero marked the issue as grade-b

@Trumpero Trumpero mentioned this issue Jan 31, 2024
Closed
@c4-judge
Copy link
Contributor

Trumpero marked the issue as grade-c

@c4-judge c4-judge added grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards and removed grade-b labels Jan 31, 2024
@Tri-pathi Tri-pathi mentioned this issue Feb 2, 2024
Closed
@viraj124
Copy link

viraj124 commented Feb 2, 2024

hey @Trumpero
could you please re-evaluate?

Thanks

@Trumpero
Copy link

Trumpero commented Feb 8, 2024

@viraj124 Replied here

@viraj124
Copy link

viraj124 commented Feb 8, 2024

Okay thanks, @Trumpero
could you remove the unsatisfactory tag so it is considered as a QA

@Tri-pathi Tri-pathi mentioned this issue Feb 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-816 edited-by-warden grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@viraj124 @c4-judge @c4-pre-sort @Trumpero @code4rena-admin @c4-bot-4