Clock Account Spoofing
Detects programs that read time data from unvalidated accounts instead of the canonical Clock sysvar, enabling timestamp manipulation.
Clock Account Spoofing
Overview
The clock account spoofing detector identifies Solana programs that read timestamp or slot data from an account passed by the caller without verifying it is the canonical Clock sysvar (SysvarC1ock11111111111111111111111111111111). An attacker can pass a fake account with fabricated timestamp data, making time-gated operations (vesting, lockups, auctions) vulnerable to manipulation.
Why This Is an Issue
Many DeFi operations depend on accurate time: token vesting schedules release tokens at specific timestamps, auction deadlines expire based on clock data, and staking reward calculations use time deltas. If an attacker substitutes a fake clock account with a future timestamp, they can unlock vested tokens early, end auctions prematurely, or claim inflated staking rewards.
How to Resolve
// Before: Vulnerable — clock account not validated
pub fn unlock(accounts: &[AccountInfo]) -> ProgramResult {
let clock_info = &accounts[2]; // Could be any account
let clock: Clock = bincode::deserialize(&clock_info.data.borrow())?;
if clock.unix_timestamp > lockup.end_time { /* unlock */ }
Ok(())
}
// After: Fixed — use Clock::get() which reads from the runtime
pub fn unlock(accounts: &[AccountInfo]) -> ProgramResult {
let clock = Clock::get()?; // Runtime-provided, cannot be spoofed
if clock.unix_timestamp > lockup.end_time { /* unlock */ }
Ok(())
}Detection Methodology
- Clock data access detection: Identifies deserialization of Clock-like data structures from account data.
- Sysvar address validation check: Searches for key comparisons against the canonical Clock sysvar address.
- Runtime sysvar usage: Checks whether the program uses
Clock::get()orSysvar::from_account_info()with validation versus raw deserialization. - Higher confidence when the unvalidated clock data is used in arithmetic comparisons with financial implications.
Limitations
False positives: Programs that validate the clock account via check_id() in a helper function may be flagged. False negatives: Custom time sources that are legitimate may be incorrectly excluded.
Related Detectors
- Timestamp Dependency — detects dangerous reliance on timestamps
- Missing Signer Check — detects missing account validation