区块时间戳操作

漏洞 block.timestamp可以由具有以下限制的矿工操纵

它的标记时间不能早于其父级未来不可能太远

Block Timestamp Manipulation Vulnerability block.timestamp can be manipulated by miners with the following constraints

it cannot be stamped with an earlier time than its parent it cannot be too far in the future

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

/*
Roulette is a game where you can win all of the Ether in the contract
if you can submit a transaction at a specific timing.
A player needs to send 10 Ether and wins if the block.timestamp % 15 == 0.
*/

/*
1. Deploy Roulette with 10 Ether
2. Eve runs a powerful miner that can manipulate the block timestamp.
3. Eve sets the block.timestamp to a number in the future that is divisible by
   15 and finds the target block hash.
4. Eve's block is successfully included into the chain, Eve wins the
   Roulette game.
*/

contract Roulette {
    uint public pastBlockTime;

    constructor() payable {}

    function spin() external payable {
        require(msg.value == 10 ether); // must send 10 ether to play
        require(block.timestamp != pastBlockTime); // only 1 transaction per block

        pastBlockTime = block.timestamp;

        if (block.timestamp % 15 == 0) {
            (bool sent, ) = msg.sender.call{value: address(this).balance}("");
            require(sent, "Failed to send Ether");
        }
    }
}

预防技术

不要用作block.timestamp熵和随机数的来源

Preventative Techniques Don't use block.timestamp for a source of entropy and random number

区块时间戳操作​

预防技术​

区块时间戳操作

预防技术