Mint claim gets saved in under the wrong epoch when setEpochDuration is called

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L546-L552

Vulnerability details

Impact

Changing epochDuration messes up the protocol. It can result in user's deposit to be saved under the wrong epoch.

Proof of Concept

Lets say epoch length is 10 seconds and userA makes a deposit (requestMint) in the second second. User has therefore made a deposit in the first epoch, however, if admin in the next second sets epoch duration to 1 second and then in 4th second another user calls requestMint, then he changes the current epoch to 4th and resulting in userA's deposit being saved in the wrong epoch (1st indtead of 2nd).

Time frame:

• 1st second
• 2nd second: UserA makes a deposit
• 3rd second: Admin changes epoch duration to 1 second from 10 second
• 4th second: UserB makes a deposit which calls transitionEpoch and changes epoch order

Such change can result in user's deposits being mixed up or lost.

Tools Used

Manual review

Recommended Mitigation Steps

Don't allow epochDuration changes, since it messes up historic records.

[c4-judge]

trust1995 marked the issue as unsatisfactory: Invalid