A timestamp on the blockchain networks represents the record of when data was exchanged, created, or removed. On the Ethereum block, the timestamp field is a 256-bit value representing the Unix timestamp of when the block was mined and validated onchain. It also shows the difficulty and the time it took to mine the block and establish the order of transactions and blocks.
Sometimes, developers build contracts that rely on the block timestamp or external time sources within smart contracts to execute certain logic or enforce time-based conditions. This is referred to as timestamp dependency. Common examples include time-dependent executions, scheduling future events, or periodic locking of funds. However, this may introduce several vulnerabilities, such as Time Drift and Synchronization Issues and front-running Attacks. Timestamp dependency vulnerability, however, occurs when a smart contract relies on the block.timestamp function for critical operations, such as transferring ether or generating random numbers.
Consider the case of this online bidder DApp. Its function, endAuction, determines the auction winner based on the highest bid within a certain time frame. The contract also relies on the block.timestamp to mark the end of the bidding period, leaving it vulnerable to timestamp manipulation by miners.
*Can you also spot the bug in that snippet?*
Sometimes, developers build contracts that rely on the block timestamp or external time sources within smart contracts to execute certain logic or enforce time-based conditions. This is referred to as timestamp dependency. Common examples include time-dependent executions, scheduling future events, or periodic locking of funds. However, this may introduce several vulnerabilities, such as Time Drift and Synchronization Issues and front-running Attacks. Timestamp dependency vulnerability, however, occurs when a smart contract relies on the block.timestamp function for critical operations, such as transferring ether or generating random numbers.
Consider the case of this online bidder DApp. Its function, endAuction, determines the auction winner based on the highest bid within a certain time frame. The contract also relies on the block.timestamp to mark the end of the bidding period, leaving it vulnerable to timestamp manipulation by miners.
*Can you also spot the bug in that snippet?*
An attacker can manipulate the timestamp of the block containing the transaction that calls the placeBid function. By setting a manipulated timestamp slightly ahead of the actual current time, the attacker could extend the bidding period beyond the intended duration, allowing them or others to place additional bids.
In general, I personally do not see this as a large issue for us auditors. However, it should definitely be kept in mind.
Link to the article
https://twitter.com/CharlesWangP/status/1781683115955556672