Venus Prime - 0xScourgedev's results

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/Prime.sol#L974-L978

Vulnerability details

Impact

In the EVM, the block time is not constant and can exhibit substantial fluctuations. Utilizing blocks per year as a metric in distribution calculations can result in notable discrepancies, potentially impacting the fairness and accuracy of allocations. Some of the chains that Venus Prime will be deployed on have very inconsistent block times.

Proof of Concept

A great example of fluctuations impacting distributions is comparing Ethereum pre merge to post merge. Ethereum right before the merge had a block time of around 14.5s, and post merge there is a block time of around 12s.

Using those numbers, to get BLOCKS_PER_YEAR, we can do 31,536,000 (Seconds per year) / 14.5 = 2174896 (Approx) 31,536,000 (Seconds per year) / 12 = 2628000

The BLOCKS_PER_YEAR in this example will have a discrepancy of approximately 20%!

Another example is if we take Polygon zkEVM, another chain that Venus Prime will be deployed on, the average block time has varied significantly within the past half year. It reached an average of 58.8s (May 7, 2023), and most recently has a block time of 3s. Variance of 19.6 times! With numbers within the past 3 months, the average block time has fluctuated between 0.73s (August 5, 2023), and 4.01s (September 18, 2023), a variance of ~5.5x!

ETH Block time pre merge ETH Block time post merge Polygon zkEVM Average Block Time Apr. 2023 - Present Polygon zkEVM Average Block Time Jun. 2023 - Present

Tools Used

Manual Analysis

Recommended Mitigation Steps

Change the distribution calculation to use timestamp instead of BLOCKS_PER_YEAR.

Issue Type

Math

Assessed type

Math