wrong MONTH_IN_SECONDS constant #212
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-273
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
gzeon-c4 marked the issue as duplicate of #273 |
|
gzeon-c4 marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L33
Vulnerability details
Impact
Wrong constant leads to unexpected long time can be set for settings.drawBufferTime and settings.recoverTimelock
Proof of Concept
this actually is 7 month.
In this setting settings.recoverTimelock can be as large as 12*7 month (7 years) instead of a year, and likewise REDRAW_TIMELOCK_NEEDS_TO_BE_LESS_THAN_A_MONTH will only prevent _settings.drawBufferTime larger than 7 months.
Tools Used
no
Recommended Mitigation Steps
should be changed to
uint256 immutable MONTH_IN_SECONDS = 3600 * 24 * 30;The text was updated successfully, but these errors were encountered: