- Vulnerability Category:
Block attributes - Severity:
Critical - Detectors:
assert-block-height - Test Cases:
assert-block-height
Since there is no exact method to measure time events in Stacks blockchain,Clarity gives you two options: block-height and burn-block-height. The main different between them is that block-height is based on Stacks blockchain and burn-block-height is based on the underlying Bitcoin blockchain.
One malicious user can exploit the fact block's height in Stacks is not synchronized with the Bitcoin blockchain.
(define-public (list-asset (nft-asset-contract <nft-trait>) (nft-asset {taker: (optional principal), token-id: uint, expiry: uint, price: uint, payment-asset-contract: (optional principal)}))
(let ((listing-id (var-get listing-nonce)))
(asserts! (is-whitelisted (contract-of nft-asset-contract)) err-asset-contract-not-whitelisted)
(asserts! (> (get expiry nft-asset) block-height) err-expiry-in-past)
(ok listing-id)
)
)The vulnerable code example can be found here.
(define-public (list-asset (nft-asset-contract <nft-trait>) (nft-asset {taker: (optional principal), token-id: uint, expiry: uint, price: uint, payment-asset-contract: (optional principal)}))
(let ((listing-id (var-get listing-nonce)))
(asserts! (is-whitelisted (contract-of nft-asset-contract)) err-asset-contract-not-whitelisted)
(asserts! (> (get expiry nft-asset) burn-block-height) err-expiry-in-past)
(ok listing-id)
)
)The remediated code example can be found here.