Gauge reward periods are not enforced correctly due to incorrect timing logic
Summary
Users are able to earn rewards during either 1 week or 1 month periods through the Gauge contracts. There is an issue with how the period duration is tracked however that allows users to earn rewards past this timeframe for an indefinite amount.
Vulnerability Details
The _updateReward function is called through the updateReward modifier to recalculate the amount of rewards a user should be eligible for. rewardPerTokenStored is used to track the changes in the reward per token over the 1 week or 1 month duration of the period and is updated through getRewardPerToken.
A problem arises though in the call to lastTimeRewardApplicable. This gets the latest applicable reward time and assigns it to lastUpdateTime but the check for block.timestamp < periodFinish() can never return false and therefore lastUpdateTime will always be the latest block.timestamp and the period will never end.
This is because periodFinish just adds on the period duration of either 1 week or 1 month to the lastUpdateTime creating an infinite deadline that will never be reached.
Impact
Reward periods are not enforced allowing users to accrue rewards indefinitely
Tools Used
Manual Review
Recommendations
Period tracking needs to be more dynamic
Lead Judging Commences
BaseGauge period end time miscalculation creates circular dependency between periodFinish() and lastUpdateTime, preventing periods from naturally ending and disrupting reward distribution
BaseGauge period end time miscalculation creates circular dependency between periodFinish() and lastUpdateTime, preventing periods from naturally ending and disrupting reward distribution
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.