# 28729 - \[SC - Insight] MINIMUM\_DELAY uses incorrect value of days ins...

Submitted on Feb 25th 2024 at 09:04:26 UTC by @MrPotatoMagic for [Boost | Puffer Finance](https://immunefi.com/bounty/pufferfinance-boost/)

Report ID: #28729

Report type: Smart Contract

Report severity: Insight

Target: <https://etherscan.io/address/0x3C28B7c7Ba1A1f55c9Ce66b263B33B204f2126eA#code>

Impacts:

* Contract fails to deliver promised returns, but doesn't lose value

## Description

## Brief/Intro

The Timelock.sol contract currently uses a `MINIMUM_DELAY` **constant** value of 7 days. But according the specification/expected behaviour mentioned by the sponsors in the Technical walkthrough (referenced below), the minimum delay is supposed to be 2 days.

## References

<https://youtu.be/u1lYGykS-7g?si=-xVed8AAHZ8NkVHh\\&t=2436>

## Impact Details

Since the minimum delay is expected to be 2 days, when the operation/community multisig try to set a delay in the range \[2,7], the call would revert with `InvalidDelay` error.

Due to this, the issue has been marked as low-severity since the contract fails to deliver promised results and does not abide by its specification/expected behaviour.

## Vulnerability Details

Here is the whole process:

1. First , let's take a look at the MINIMUM\_DELAY constant value in the Timelock.sol contract:

* As we can see, the code is deployed with a constant (immutable) value of 7 days rather than the expected value of 2 days.

```solidity
File: Timelock.sol
101:     uint256 public constant MINIMUM_DELAY = 7 days; 
```

2. This mean that when the operation/community multisig calls the function `setDelay()` through the function `executeTransaction()` with a value in the range \[2,7], the call would revert with the `InvalidDelay` error. This denies the operators/community from setting a value in that range and **forces them to set delay to a value greater than 7 days**.

```solidity
File: Timelock.sol
295:     function _setDelay(uint256 newDelay) internal {
296:         
297:         if (newDelay <= MINIMUM_DELAY) {
298:             revert InvalidDelay(newDelay);
299:         }
300:         emit DelayChanged(delay, newDelay);
301:         delay = newDelay;
302:     }
```

## Proof of Concept

How to use this POC:

* Add the POC to the Timelock.t.sol file.
* Run the test using `forge test --fork-url <ETH_MAINNET_RPC_URL> --match-test testIncorrectMinDelayIssue -vvv`

```solidity
  function testIncorrectMinDelayIssue() public {

        uint256 operationId;
        for (uint256 i = 2;  i <= 7 ; i++) {
            bytes memory callData = abi.encodeCall(Timelock.setDelay, (86400*i));

            operationId++;

            vm.prank(timelock.COMMUNITY_MULTISIG());
            timelock.executeTransaction(address(timelock), callData, operationId);

            assertNotEq(timelock.delay(), 86400*i);
        }
    }
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/puffer-finance/28729-sc-insight-minimum_delay-uses-incorrect-value-of-days-ins....md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.