getRewardForDuration will start returning misleading results if rewardsDuration is updated

[code423n4]

Handle

paulius.eth

Vulnerability details

Impact

contract MplRewards function getRewardForDuration will start returning misleading results if rewardsDuration is updated (function setRewardsDuration) as rewardRate is not updated and is based on old rewardsDuration. This function is not used anywhere, I assume it is meant for frontend consumption. Anyway, I think it would make sense to return 0 if block.timestamp > periodFinish (which is the condition when owner can set new rewards duration).

Recommended Mitigation Steps

return 0 if block.timestamp > periodFinish.

[lucas-manuel]

Informational, won't address