From b2edb9b6ad99cc91fca86dd14ca1710e44dd55ec Mon Sep 17 00:00:00 2001
From: Burak Benligiray <bbenligiray@gmail.com>
Date: Thu, 1 Aug 2024 12:20:04 +0300
Subject: [PATCH] Require signed data in OEv updates to be older than update
 allowance end timestamp

---
 contracts/api3-server-v1/Api3ServerV1OevExtension.sol | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/contracts/api3-server-v1/Api3ServerV1OevExtension.sol b/contracts/api3-server-v1/Api3ServerV1OevExtension.sol
index 311d244..5f4f3cd 100644
--- a/contracts/api3-server-v1/Api3ServerV1OevExtension.sol
+++ b/contracts/api3-server-v1/Api3ServerV1OevExtension.sol
@@ -67,6 +67,10 @@ contract Api3ServerV1OevExtension is
             ),
             "Auctioneer invalid"
         );
+        require(
+            updateAllowanceEndTimestamp < block.timestamp + 1 hours,
+            "Timestamp not valid"
+        );
         UpdateAllowance storage updateAllowance = dappIdToUpdateAllowance[
             dappId
         ];
@@ -152,9 +156,10 @@ contract Api3ServerV1OevExtension is
                     "Signature mismatch"
                 );
                 // Cannot use processBeaconUpdate() here because data is not calldata
+                // Timestamp implicitly can't be more than 1 hours in the future due to the check in payOevBid()
                 require(
-                    timestamp < block.timestamp + 1 hours,
-                    "Timestamp not valid"
+                    timestamp < updateAllowance.endTimestamp,
+                    "Timestamp not allowed"
                 );
                 require(
                     timestamp > _dataFeeds[oevBeaconId].timestamp,