skip to content
zeroknots.eth

Security Issues: solidity timestamps

solidity, auditing, security

Timestamps are hard. They are often used in smart contracts but carry inherent risks that must be considered.

Intro

Smart contracts have revolutionized the way we do business by allowing us to automate complex financial transactions without the need for intermediaries. However, as with any technology, there are inherent risks that must be considered. One potential vulnerability that often goes overlooked is the failure to properly sanitize timestamps in smart contracts. In this blog post, we will explore the security issues that can occur when smart contracts fail to sanitize timestamps, and how they can be prevented.

Introduction

Firstly, it’s important to understand what a timestamp is. In the context of smart contracts, a timestamp is a piece of data that records the time when a specific event occurred. For example, a smart contract may use a timestamp to record the time when a payment was made or when a specific condition was met. Timestamps are essential for ensuring the accuracy and transparency of smart contracts, as they allow us to track when specific events occurred.

Tip: Declare your time variables as “uint40” rather than “uint256”, to save gas in structs and contract storage. 2^40-1 is more than enough time.

pragma solidity ^0.8.0;

contract MyDate {

    struct DateStruct {
        uint40 date1;
        uint40 date2;
        uint40 date3;
    }

    DateStruct myStruct;

    function setDates(uint40 _date1, uint40 _date2, uint40 _date3) public {
        myStruct.date1 = _date1;
        myStruct.date2 = _date2;
        myStruct.date3 = _date3;
    }

    function getDates() public view returns (uint40, uint40, uint40) {
        return (myStruct.date1, myStruct.date2, myStruct.date3);
    }
}

Sanitization

When smart contracts fail to sanitize timestamps, it can create serious security issues. One potential issue is that malicious actors can manipulate timestamps to execute transactions out of order. For example, an attacker could manipulate a timestamp to make it appear as though a payment was made before a specific condition was met, allowing them to execute a transaction before they should have been able to.

Another potential vulnerability is that unscrupulous actors can use timestamps to their advantage by exploiting time-based vulnerabilities. For example, an attacker could exploit a time-based vulnerability by submitting a transaction at a specific time, knowing that the contract will execute a specific action at that time. This can be particularly problematic in time-sensitive transactions, such as auctions or trading.

Allowing the creation of epochs with end dates that are before their begin dates can have serious security implications. It can result in the smart contract executing transactions in an unintended order, leading to loss of funds or other unintended consequences. For example, an attacker could create an epoch that ends before it begins and exploit this vulnerability to make unauthorized transactions, bypass certain conditions or create other inconsistencies in the contract’s behavior. This can create opportunities for malicious actors to exploit vulnerabilities in the smart contract and potentially compromise the entire system. As such, it’s important to ensure that smart contracts have proper validation and sanitization mechanisms to prevent these types of vulnerabilities.

It is important that you understand the business logic and potential impact when auditing contracts that use timestamps.