Slope changes can be at any time, making it impossible to properly apply them
Summary
Slope changes can be at any time, making it impossible to properly apply them
Vulnerability Details
Slope changes are very important in a voting contract, they are used to determine how the voting power will change at a point in the future. The issue is that any user can provide his own, completely arbitrary duration. The only check regarding it is to be between the min and max duration:
This means there might be slope changes every second, this is absolutely impossible to apply and will result in completely incorrect state over the long run.
If we take a look at Curve, we will see that the duration is rounded down to weeks:
This is extremely important, otherwise it is completely impossible to actually apply those slope changes, as this means that for every timestamp, there might be slope changes, trying to do so will result in extreme gas issues (Curve's voting escrow by itself is not the most gas optimized contract as it runds a loop for slope changes, here it would be a complete massacre considering the arbitrary unlock times).
Impact
Slope changes can't be applied, trying to do so will result in OOG.
Tools Used
Manual Review
Recommendations
Use weekly unlock times only (or another duration, maybe 2-weeks or whatever)
Appeal created
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.