Back to btk's contests

Maia DAO Ecosystem - btk's results

Efficient liquidity renting and management across chains with Curvenized Uniswap V3.

General Information

Platform: Code4rena

Start Date: 30/05/2023

Pot Size: $300,500 USDC

Total HM: 79

Participants: 101

Period: about 1 month

Judge: Trust

Total Solo HM: 36

Id: 242

League: ETH

Maia DAO Ecosystem

Findings Distribution

Researcher Performance

Rank: 61/101

Findings: 1

Award: $172.82

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMaia DAO Ecosystem

Findings Information

🌟 Selected for report: MohammedRizwan

Also found by: ByteBandits, T1MOH, btk, tsvetanovv

Labels

bug
2 (Med Risk)
satisfactory
duplicate-417

Awards

172.8238 USDC - $172.82

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/main/src/governance/GovernorBravoDelegateMaia.sol#L18-L27

Vulnerability details

Impact

Note: The sponsor message on which networks project will be deployed.

Vote period/delay will not work correctly on L2s due to the use of block.number, which may not give holders enough time to delegate or cast before the voting delay or period ends.

Proof of Concept

    uint256 public constant MIN_VOTING_PERIOD = 80640; // About 2 weeks

    /// @notice The max setable voting period
    uint256 public constant MAX_VOTING_PERIOD = 161280; // About 4 weeks

    /// @notice The min setable voting delay
    uint256 public constant MIN_VOTING_DELAY = 40320; // About 1 weeks

    /// @notice The max setable voting delay
    uint256 public constant MAX_VOTING_DELAY = 80640; // About 2 weeks

Each of these values represent a specific period in ethereum blocks (.i.e 12s), but all of this values will not give the holders enough time when deploying on L2s due to .

Here is a simple comparison of block times across different networks:

NetworkBlock time
Ethereum mainnet12 s
Arbitrum2 s
Optimism2 s
Polygon2 s
Binance3 s
Metis2 s
Fantom1 s
Avalanche3 s

Tools Used

Manual Review

We recommend using block.timestamp instead of block.number.

Assessed type

Timing

#0 - c4-judge

2023-07-11T06:06:37Z

trust1995 marked the issue as duplicate of #728

#1 - c4-judge

2023-07-11T06:06:42Z

trust1995 marked the issue as satisfactory

#2 - 0xRizwan

2023-07-26T20:06:47Z

@trust1995 Ser,

This is a different issue and does not seems to be a duplicate of #728. It is recommending on the use of block.timestamp and does not point out block period issue.

Please have a look.

Thank you!

#3 - c4-judge

2023-07-27T08:00:34Z

trust1995 marked the issue as not a duplicate

#4 - c4-judge

2023-07-27T08:00:40Z

trust1995 marked the issue as primary issue

#5 - c4-judge

2023-07-27T08:01:42Z

trust1995 marked the issue as duplicate of #417

#6 - trust1995

2023-07-27T08:03:49Z

This finding group contains two types of findings:

  1. Different chains have different block times
  2. ETH2 block time is different from assumed block time (15 seconds)

I believe these are similar enough to be looked at as same underlying issue (block time assumptions affect voting period).

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter