slowfi - The `period.endTime` Can Not Match With Its Assigned Value

[sherlock-admin2]

slowfi

Medium

The period.endTime Can Not Match With Its Assigned Value

Summary

The Voter contract sets the endTime for a certain period with a fixed time when starting a voting period. However the end period does not necessarily correspond to that value. This may result in an improper time reward distribution on the BribeReward contract.

Vulnerability Detail

Theoretically the period time is 14 days. However the function startNewVotingPeriod can be called at any time. If a period is finished sooner than expected the endTime will still be a value on the future. That period is not possible to be voted, but it still goes on.

Moreover the BribeRewarder still uses the wrong end time to distribute the rewards although it is impossible to still vote on that period.

Impact

users may need to wait for times that are not reflected on the current contract to get their rewards.

Code Snippet

startNewVotingPeriod function

  function startNewVotingPeriod() public onlyOwner {
      _currentVotingPeriodId++;

      VotingPeriod storage period = _startTimes[_currentVotingPeriodId];
      period.startTime = block.timestamp;
      period.endTime = block.timestamp + _periodDuration;

      emit VotingPeriodStarted();
  }

Tool used

Manual Review

Recommendation

Assign the end time of the previous period when starting a new period.

[0xSmartContract]

This issue falls under the admin category https://docs.sherlock.xyz/audits/judging/judging#vii.-list-of-issue-categories-that-are-not-considered-valid

Admin Input/call validation:

An admin action can break certain assumptions about the functioning >of the code. Example: Pausing a collateral causes some users to be >unfairly liquidated or any other action causing loss of funds. This is >not considered a valid issue.