Curve points are not validated to be continuously increasing

Summary

Curve points are not validated to be continuously increasing and in case a curve point is less than its predecessor, the getMultiplier function will revert

Vulnerability Detail

Curve points are set by governance in multiple places. Each point on the curve is expected to be greater than the previous point. However, this is not validated in the code. If a point is set to a value less than the previous point, the linear interpolation in TimeLockPool.getMultiplier will revert due to curve[n + 1] < curve[n].

Impact

The core functionality of the TimeLockPool contract will be broken and will revert until the curve is fixed by governance.

Code Snippet

TimeLockPool.sol#L245

function getMultiplier(uint256 _lockDuration) public view returns(uint256) {
    // There is no need to check _lockDuration amount, it is always checked before
    // in the functions that call this function

    // n is the time unit where the lockDuration stands
    uint n = _lockDuration / unit;
    // if last point no need to interpolate
    // trim de curve if it exceedes the maxBonus // TODO check if this is needed
    if (n == curve.length - 1) {
        return 1e18 + curve[n];
    }
    // linear interpolation between points
    return 1e18 + curve[n] + (_lockDuration - n * unit) * (curve[n + 1] - curve[n]) / unit; // @audit-info Can revert due to `curve[n + 1] - curve[n]`
}

Tool used

Manual review

Recommendation

Consider adding appropriate checks to all places where the curve points are set or changed to ensure that a curve point is not less than the previous point.

Duplicate of #111

sherlock-audit / 2022-10-merit-circle-judging

berndartmueller - Curve points are not validated to be continuously increasing #47