Skip to main content
Sigvex

Clock Account Spoofing

Detects programs that read time data from unvalidated accounts instead of the canonical Clock sysvar, enabling timestamp manipulation.

Clock Account Spoofing

Overview

The clock account spoofing detector identifies Solana programs that read timestamp or slot data from an account passed by the caller without verifying it is the canonical Clock sysvar (SysvarC1ock11111111111111111111111111111111). An attacker can pass a fake account with fabricated timestamp data, making time-gated operations (vesting, lockups, auctions) vulnerable to manipulation.

Why This Is an Issue

Many DeFi operations depend on accurate time: token vesting schedules release tokens at specific timestamps, auction deadlines expire based on clock data, and staking reward calculations use time deltas. If an attacker substitutes a fake clock account with a future timestamp, they can unlock vested tokens early, end auctions prematurely, or claim inflated staking rewards.

How to Resolve

// Before: Vulnerable — clock account not validated
pub fn unlock(accounts: &[AccountInfo]) -> ProgramResult {
    let clock_info = &accounts[2];  // Could be any account
    let clock: Clock = bincode::deserialize(&clock_info.data.borrow())?;
    if clock.unix_timestamp > lockup.end_time { /* unlock */ }
    Ok(())
}

// After: Fixed — use Clock::get() which reads from the runtime
pub fn unlock(accounts: &[AccountInfo]) -> ProgramResult {
    let clock = Clock::get()?;  // Runtime-provided, cannot be spoofed
    if clock.unix_timestamp > lockup.end_time { /* unlock */ }
    Ok(())
}

Detection Methodology

  1. Clock data access detection: Identifies deserialization of Clock-like data structures from account data.
  2. Sysvar address validation check: Searches for key comparisons against the canonical Clock sysvar address.
  3. Runtime sysvar usage: Checks whether the program uses Clock::get() or Sysvar::from_account_info() with validation versus raw deserialization.
  4. Higher confidence when the unvalidated clock data is used in arithmetic comparisons with financial implications.

Limitations

False positives: Programs that validate the clock account via check_id() in a helper function may be flagged. False negatives: Custom time sources that are legitimate may be incorrectly excluded.

References