BaseGauge contract shows incorrect periodFinish()
Summary
BaseGauge contract shows incorrect periodFinish()
Vulnerability Details
BaseGauge.periodFinish() expects to return the timestamp in which the period ends, but fails to do it properly as end timestamp is calculated as lastUpdateTime + getPeriodDuration(), being `lastUpdateTime` the timestamp at which rewards were last updated.
As `lastUpdateTime` is updated overtime, so will be periodFinish() meaning that the end timestamp of the period is never reached as it grows over time.
Impact
periodFinish() will never show the correct timestamp. As a result, lastTimeRewardApplicable() does not return the real last time that applies for rewards and `getRewardPerToken()` (which makes use of lastTimeRewardApplicable()) will miscalculate rewardPerTokenStored, leading to a much higher reward than expected.
Tools Used
Manual review
Recommendations
Correct the BaseGauge.periodFinish() function to return the true period end timestamp:
Lead Judging Commences
BaseGauge period end time miscalculation creates circular dependency between periodFinish() and lastUpdateTime, preventing periods from naturally ending and disrupting reward distribution
BaseGauge period end time miscalculation creates circular dependency between periodFinish() and lastUpdateTime, preventing periods from naturally ending and disrupting reward distribution
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.