Core Contracts

Summary

The _updateWeights function in the contract claims to update the weight of an existing period but instead always creates a new period, whether or not one already exists. This could lead to unnecessary period fragmentation and unintended behavior in weight calculations.

Vulnerability Details

• The function _updateWeights is responsible for updating the weight for time-weighted average calculations.

• The function always calls createPeriod, which initializes a new period instead of updating the existing one.

• Both the initial and subsequent period calculations determine nextPeriodStart using the same formula, meaning an existing period is never updated—only replaced with a new one.

• If weight updates are frequent, this could lead to excessive state changes and storage usage, potentially increasing gas costs.

Impact

• The expected behavior of updating an existing period does not occur, which may lead to incorrect or unexpected weight calculations.

• Potentially incorrect period tracking due to fragmented period history.

Tools Used

• Manual code review

• Static analysis

Recommendations

• Modify _updateWeights to check if an active period exists before creating a new one.

• Instead of always calling createPeriod, update the weight field of the existing period if it has not yet expired.

• Consider adding an explicit function for creating a new period separately from updating an existing period to maintain clear functionality.