BlockChain-Hacking-Contracts/12BlockTimestamp.sol at master · BlockChain-Creativity/BlockChain-Hacking-Contracts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
/*
#Block Timestamp Manipulation
##Vulnerability

block.timestamp can be manipulated by miners with the following constraints

 1. it cannot be stamped with an earlier time than its parent
 2. it cannot be too far in the future
*/


// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

/*
Roulette is a game where you can win all of the Ether in the contract
if you can submit a transaction at a specific timing.
A player needs to send 10 Ether and wins if the block.timestamp % 15 == 0.
*/

/*
1. Deploy Roulette with 10 Ether
2. Eve runs a powerful miner that can manipulate the block timestamp.
3. Eve sets the block.timestamp to a number in the future that is divisible by
   15 and finds the target block hash.
4. Eve's block is successfully included into the chain, Eve wins the
   Roulette game.
*/


contract Roulette {
    uint public pastBlockTime;

    constructor() payable {}

    function spin() external payable {
        require(msg.value == 10 ether); // must send 10 ether to play
        require(block.timestamp != pastBlockTime); // only 1 transaction per block

        pastBlockTime = block.timestamp;

        if(block.timestamp % 15 == 0){
            (bool sent, ) = msg.sender.call{value:address(this).balance}("");
            require(sent,"Failed to send ethers");
        }
    }
}

/*

##Preventative Techniques
Don't use block.timestamp for a source of entropy and random number

*/