A timestamp on the blockchain networksrepresents the record of when data was exchanged, created, or removed. On theEthereum block, the timestamp field is a 256-bit value representing the Unixtimestamp of when the block was mined and validated onchain. It also shows thedifficulty and the time it took to mine the block and establish the order oftransactions and blocks.
Sometimes, developers build contracts thatrely on the block timestamp or external time sources within smart contracts toexecute certain logic or enforce time-based conditions. This is referred to astimestamp dependency. Common examples include time-dependent executions,scheduling future events, or periodic locking of funds. However, this mayintroduce several vulnerabilities, such as Time Drift and SynchronizationIssues and front-running Attacks. Timestamp dependency vulnerability, however,occurs when a smart contract relies on the block.timestamp function forcritical operations, such as transferring ether or generating random numbers.
Consider the case of this online bidderDApp. Its function, endAuction, determines the auction winner based on thehighest bid within a certain time frame. The contract also relies on theblock.timestamp to mark the end of the bidding period, leaving it vulnerable totimestamp manipulation by miners.
*Can you also spot the bug in thatsnippet?*
An attacker can manipulate the timestamp ofthe block containing the transaction that calls the placeBid function. Bysetting a manipulated timestamp slightly ahead of the actual current time, theattacker could extend the bidding period beyond the intended duration, allowingthem or others to place additional bids.
In general, I personally do not see this asa large issue for us auditors. However, it should definitely be kept in mind.
Comment the bug if you found it!
