MONTH_IN_SECONDS
is 7 times more than the correct value
#89
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-273
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L33
Vulnerability details
Impact
This breaks the protocol invariant of
REDRAW_TIMELOCK_NEEDS_TO_BE_LESS_THAN_A_MONTH()
revert RECOVER_TIMELOCK_NEEDS_TO_BE_LESS_THAN_A_YEAR()
We can set redraw timelock to 7 months
We can set recover timelock to 7 years. This is extremely unnecessary.
Proof of Concept
MONTH_IN_SECONDS is currently implemented this way
uint256 immutable MONTH_IN_SECONDS = (3600 * 24 * 7) * 30
We are multiplying number of seconds in a week by 30, instead of multiplying number of seconds in a day by 30. This lead to an over computation of 7 times.
The affected part of the protocols are as mentioned above as they relies on the value of
MONTH_IN_SECONDS
.Tools Used
Manual Review
Recommended Mitigation Steps
Correct calculation should be
The text was updated successfully, but these errors were encountered: