Wrong value of MONTH_IN_SECONDS could make it impossible to recover NFT in 7 years #314

code423n4 · 2022-12-16T17:55:38Z

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L33

Vulnerability details

Impact

Constant MONTH_IN_SECONDS has incorrect value. Instead of 1 month, it has the value of 7 months.

// @dev about 30 days in a month
uint256 immutable MONTH_IN_SECONDS = (3600 * 24 * 7) * 30; 
// @audit wrong value, could allow bufferTime and recoverTimelock become too long

This constant is used to check some settings in function initialize()

if (_settings.drawBufferTime < HOUR_IN_SECONDS) {
    revert REDRAW_TIMELOCK_NEEDS_TO_BE_MORE_THAN_AN_HOUR();
}
if (_settings.drawBufferTime > MONTH_IN_SECONDS) {
    revert REDRAW_TIMELOCK_NEEDS_TO_BE_LESS_THAN_A_MONTH();
}

if (_settings.recoverTimelock < block.timestamp + WEEK_IN_SECONDS) {
    revert RECOVER_TIMELOCK_NEEDS_TO_BE_AT_LEAST_A_WEEK();
}
if (
    _settings.recoverTimelock >
    block.timestamp + (MONTH_IN_SECONDS * 12)
) {
    revert RECOVER_TIMELOCK_NEEDS_TO_BE_LESS_THAN_A_YEAR();
}

As we can see, the last check make sure recoverTimelock cannot be longer than 1 year, but because MONTH_IN_SECONDS, value of recoverTimelock could be mistakenly set to 7 years.

Proof of Concept

https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L28-L35

/// @dev 60 seconds in a min, 60 mins in an hour
uint256 immutable HOUR_IN_SECONDS = 60 * 60;
/// @dev 24 hours in a day 7 days in a week
uint256 immutable WEEK_IN_SECONDS = (3600 * 24 * 7);
// @dev about 30 days in a month
uint256 immutable MONTH_IN_SECONDS = (3600 * 24 * 7) * 30;

Value of MONTH_IN_SECONDS should be 3600 * 24 * 30

Tools Used

Manual Review

Recommended Mitigation Steps

Correcting the value of MONTH_IN_SECONDS to (3600 * 24 * 30)

The text was updated successfully, but these errors were encountered:

c4-judge · 2022-12-17T12:53:15Z

gzeon-c4 marked the issue as duplicate of #273

c4-judge · 2022-12-17T12:53:50Z

gzeon-c4 marked the issue as satisfactory

c4-judge · 2023-01-24T09:14:41Z

gzeon-c4 changed the severity to 2 (Med Risk)

code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 16, 2022

code423n4 added a commit that referenced this issue Dec 16, 2022

wagmi issue #314

732a92f

c4-judge closed this as completed Dec 17, 2022

c4-judge added the duplicate-273 label Dec 17, 2022

c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Dec 17, 2022

C4-Staff added a commit that referenced this issue Jan 7, 2023

original risk added for issue #314

976585a

c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jan 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wrong value of MONTH_IN_SECONDS could make it impossible to recover NFT in 7 years #314

Wrong value of MONTH_IN_SECONDS could make it impossible to recover NFT in 7 years #314

code423n4 commented Dec 16, 2022

c4-judge commented Dec 17, 2022

c4-judge commented Dec 17, 2022

c4-judge commented Jan 24, 2023

Wrong value of MONTH_IN_SECONDS could make it impossible to recover NFT in 7 years #314

Wrong value of MONTH_IN_SECONDS could make it impossible to recover NFT in 7 years #314

Comments

code423n4 commented Dec 16, 2022

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

c4-judge commented Dec 17, 2022

c4-judge commented Dec 17, 2022

c4-judge commented Jan 24, 2023