search

code-423n4 / 2021-12-pooltogether-findings

0 stars 0 forks source link

`getRemainingRewards()` Malfunction for unstarted promotions #102

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

For unstarted promotions, cancelPromotion() will revert at block.timestamp - _promotion.startTimestamp in _getCurrentEpochId().

Call stack: getRemainingRewards() -> _getRemainingRewards() -> _getCurrentEpochId().

https://github.com/pooltogether/v4-periphery/blob/0e94c54774a6fce29daf9cb23353208f80de63eb/contracts/TwabRewards.sol#L276-L279

function _getCurrentEpochId(Promotion memory _promotion) internal view returns (uint256) {
    // elapsedTimestamp / epochDurationTimestamp
    return (block.timestamp - _promotion.startTimestamp) / _promotion.epochDuration;
}

Recommendation

Change to:

function _getCurrentEpochId(Promotion memory _promotion) internal view returns (uint256) {
    // elapsedTimestamp / epochDurationTimestamp
    if (block.timestamp <= _promotion.startTimestamp) {
        return 0
    }
    return (block.timestamp - _promotion.startTimestamp) / _promotion.epochDuration;
}
PierrickGT commented 2 years ago

This issue has been fixed in the following issue. Duplicate of https://github.com/code-423n4/2021-12-pooltogether-findings/issues/101