Smart Contract / Block Values as a Proxy for Time

Description

Block values as a proxy for time (CWE-843) is a type of vulnerability that is present in Smart Contracts, particularly those generated in programming languages such as Solidity and Vyper. This vulnerability arises when the time value of a block is used as a proxy for an application's time value. This leaves the application open to malicious attacks that manipulate the block time value, resulting in an incorrect time value in the application. This can lead to various issues, such as double spending or denial of service attacks. A reference to the CWE directory can be found here. Further information regarding the vulnerability can be found in the OWASP Testing Guide.

Risk

The risk associated with this vulnerability is high. If successful, attackers may be able to manipulate the block time value of the application, resulting in incorrect values being stored in the application. This can lead to various issues, such as double spending or denial of service attacks.

Solution

The best way to mitigate this vulnerability is to use a trusted third party oracle to provide an accurate time value to the application. This should be done in such a way that the time value is not easily manipulated by attackers. Additionally, the application should be designed in such a way that allows it to check the validity of the time value before it is used in the application.

Example

The following example is taken from the CVE directory CVE-2020-25203. This example demonstrates the vulnerability of using block values as a proxy for time in a Solidity smart contract.

pragma solidity ^0.5.0;

contract TimeVuln {
    uint256 public blockTime;
    
    constructor() public {
        blockTime = block.timestamp;
    }
    
    function updateTime() public {
        blockTime = block.timestamp;
    }

}

In this example, the smart contract is vulnerable to attackers manipulating the block time value by submitting a malicious transaction. This can lead to incorrect values being stored in the public blockTime variable, allowing attackers to double spend or perform denial of service attacks.