Solidity Attack Vector #14: Timestamp Dependence

The block.timestamp is not a precise source of time. It is set by the miner (validator) of the block.

The Risk

A validator can manipulate the timestamp by up to 15 seconds to their advantage. If your contract uses the timestamp for a random number (never do this!) or a critical unlocked state transition, a validator can 'cheat'.

Defense

1. The 15-second Rule: Never rely on timestamp precision finer than 15-30 seconds.

2. Oracles: Use Chainlink VRF for randomness or an external time oracle for high-precision time requirements.