updatePeriod updates period duration wrong
Summary
updatePeriod() calculates the period incorrectly, resulting in a future date being multiplied by 2.
Vulnerability Details
The vulnerability lies in the formula for calculating the new period start time:
Let's look at this scenario if periodDuration == 7 days (604,800,000 ms):
currentTime == block.timestamp == 1,740,391,606,074 ms (24/02/2025)
Formula:
(1,740,391,606,074 / 604,800,000 + 2) * 604,800,000 = 1,741,601,206,074 (10/03/2025)
10/03/2025 - 24/02/2025 = 14 days instead of 7 days
The same happens for a 30-day period.
Impact
Incorrect period start date, leading to the loss of one distribution period.
Tools Used
Manual review.
Recommendations
Instead of adding 2, add 1 in the formula for nextPeriodStart.
Lead Judging Commences
BaseGauge::updatePeriod uses ((currentTime / periodDuration) + 2) calculation causing entire reward periods to be skipped, resulting in permanent loss of user rewards
BaseGauge::updatePeriod uses ((currentTime / periodDuration) + 2) calculation causing entire reward periods to be skipped, resulting in permanent loss of user rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.