BaseGuage:: constructor() => Integer Division Before Multiplication in Period Calculation can lead to rounding issues
Summary
The BaseGauge contract's constructor performs division before multiplication when calculating the next period start time, which could lead to precision loss and incorrect period boundaries.
Vulnerability Details
uint256 nextPeriod = ((currentTime / _periodDuration) * _periodDuration) + _periodDuration;
The division operation is performed before multiplication, which in Solidity (using integer arithmetic) can lead to precision loss. While the original intent may have been to round down to period boundaries, this approach is unsafe as it could lose precision when currentTime is large relative to periodDuration.
For example:
If currentTime = 1000000000000000
And periodDuration = 604800 (7 days)
The division would happen first, potentially losing significant digits
When multiplying back, the lost precision cannot be recovered
Impact
Incorrect calculation of period boundaries
Potential misalignment of reward distribution periods
Could affect reward calculations and distribution timing
The severity is Medium because while it could cause operational issues, it's unlikely to lead to direct fund loss.
Tools Used
Manual code review
Arithmetic analysis
Recommendations
Implement a safer calculation method that performs multiplication before division
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.