search
Active Boosts

28632 - [SC - Insight] Setting delay at MINIMUM_DELAY in timelock fails

Submitted on Feb 22nd 2024 at 19:10:48 UTC by @Haxatron for Boost | Puffer Financearrow-up-right

Report ID: #28632

Report type: Smart Contract

Report severity: Insight

Target: https://etherscan.io/address/0x3C28B7c7Ba1A1f55c9Ce66b263B33B204f2126eA#code

Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Introduction

Due to the use of >= instead of >, setting the delay exactly at the MINIMUM_DELAY will fail.

hashtag
Vulnerability Details

When setting a delay for the timelock, there is a MINIMUM_DELAY set for the timelock.

     * @notice Minimum delay enforced by the contract
     */
    uint256 public constant MINIMUM_DELAY = 7 days;

However when checking for this delay, >= is used instead of >.

Therefore setting the delay at exactly MINIMUM_DELAY will cause the newDelay <= MINIMUM_DELAY check to be true and therefore the setDelay transaction to revert.

hashtag
Impact Details

This can be surprising to users such as the operations multisig, that waited to execute their setDelay transaction but their transaction will unexpectedly fail because of the above behaviour.

hashtag
References

https://etherscan.io/address/0x3C28B7c7Ba1A1f55c9Ce66b263B33B204f2126eA?utm_source=immunefi#code

hashtag
Proof of Concept

Add this to the test/unit/Timelock.t.sol test found in https://github.com/PufferFinance/pufETH

Previous28630 - [SC - Insight] Improper Validation for Partial Filling of INCH...Next28645 - [SC - Insight] Attacker Prevents All Users From Withdrawing Fu...

Last updated

Was this helpful?