Submission Details
Severity:
BaseGauge::_updateWeights doesn't implement update functionality as NatSpec states, leading to DoS
Summary
BaseGauge::_updateWeights has the following documentation:
/**
* @notice Updates weights for time-weighted average calculation
* @dev Creates new period or updates existing one with new weight
* @param newWeight New weight value to record
*/
However, the update logic is not present. Both functions used are the same:
function createPeriod(
Period storage self,
uint256 startTime,
uint256 duration,
uint256 initialValue,
uint256 weight
) internal {
if (self.startTime != 0 && startTime < self.startTime + self.totalDuration) {
revert PeriodNotElapsed();
}
if (duration == 0) revert ZeroDuration();
if (weight == 0) revert ZeroWeight();
self.startTime = startTime;
self.endTime = startTime + duration;
self.lastUpdateTime = startTime;
self.value = initialValue;
self.weightedSum = 0;
self.totalDuration = duration;
self.weight = weight;
emit PeriodCreated(startTime, duration, initialValue);
}
Vulnerability Details
The BaseGauge::_updateWeightsfunction calls TimeWeightedAverage::createPeriodon both conditional entry points. The TimeWeightedAverage::createPeriod function checks if the struct Period used as a param is populated. If it is, the contract reverts.
Impact
The protocol will be blocked from updating the weights when the function is called.
Tools Used
Code review
Recommendations
Use the correct function from the TimeWeightedAverage library: TimeWeightedAverageupdateValue
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.