Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

scammed - Voter::startNewVotingPeriod lacks check if the current voting period has ended #504

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 1 comment
Closed

scammed - Voter::startNewVotingPeriod lacks check if the current voting period has ended #504

sherlock-admin4 opened this issue Jul 15, 2024 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited by WangSecurity
Loading

scammed

Medium

Voter::startNewVotingPeriod lacks check if the current voting period has ended

Summary

Voter::startNewVotingPeriod() does not check if _currentVotingPeriodId has ended.

Vulnerability Detail

The owner can start new voting periods with startNewVotingPeriod(), but the function does not check if the current one has ended, which will make the contract logic inconsistent, as well as BribeRewarder.sol's logic, which is based on the duration of the period.

function startNewVotingPeriod() public onlyOwner {
    _currentVotingPeriodId++;

    // AUDIT - no check if last VotingPeriod ended?

    VotingPeriod storage period = _startTimes[_currentVotingPeriodId];
    period.startTime = block.timestamp;
    period.endTime = block.timestamp + _periodDuration;

    emit VotingPeriodStarted();
}

Impact

Period rewards can remain locked as they are based on _periodDuration.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/Voter.sol#L107-L115

Tool used

Manual Review

Recommendation

Add a check that the timestamp when calling startNewVotingPeriod is after _currentVotingPeriodId.endTime.
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 21, 2024
@0xSmartContract 0xSmartContract added High A High severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jul 27, 2024
@sherlock-admin4 sherlock-admin4 changed the title Soft Mint Lizard - Voter::startNewVotingPeriod lacks check if the current voting period has ended scammed - Voter::startNewVotingPeriod lacks check if the current voting period has ended Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
@chinmay-farkya chinmay-farkya mentioned this issue Aug 2, 2024
Open
@WangSecurity
Copy link

Invalid based on the comment #166 (comment).

@WangSecurity WangSecurity removed High A High severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Aug 13, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Aug 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@0xSmartContract @WangSecurity @sherlock-admin2 @sherlock-admin4