Skip to content

Lack of validation for time settings#

Low Risk

In Create.sol there are createCanvas and updateCanvas functions through which canvas can be created/updated. In both cases, there is a lack of validation for time related settings.

  • dutchEndTime can be set to less than current timestamp and less than saleStart, which will result in price always being the same.
  • Both saleStart and saleEnd can be less than current timestamp.
  • Both saleStart and saleEnd can be as far in the future as possible.

Recommendation#

Add a check in createCanvas and updateCanvas that prevents the above and limits the duration of sale. Consider using constants to represent minimum and maximum duration for auction/sale. 

if(canvas.dutchEndTime != 0 && (canvas.dutchEndTime - canvas.saleStart > MAX_DUTCH_DURATION || canvas.dutchEndTime - canvas.saleStart < MIN_DUTCH_DURATION)) revert
if(canvas.saleStart != 0 && (canvas.saleStart < block.timestamp || canvas.saleEnd - canvas.saleStart > MAX_SALE_DURATION || canvas.saleEnd - canvas.saleStart < MIN_SALE_DURATION)) revert