Lines of code
<https://github.com/code-423n4/2023-12-autonolas/blob/2a095eb1f8359be349d23af67089795fb0be4ed1/governance/contracts/veOLAS.sol#L101&gt;

Vulnerability details

Impact

OLAS and veOLAS contract does not account for years with 366 days in it’s state variables uint256 public constant oneYear = 1 days * 365; and uint256 internal constant MAXTIME = 4 * 365 * 86400;

The problem with this is that, in OLAS.sol, minter can exceed uint256 public constant tenYearSupplyCap = 1_000_000_000e18; 2.5days earlier than expected, and in veOLAS.sol, MAXTIME is 1 day shorter in real life.

Proof of Concept

In ten years there will be at least two years with 366 days, and in 4 years, there will be a year with 366 days, oneYear and MAXTIME does not account for this real-life instance.

uint256 public constant oneYear = 1 days * 365;


uint256 internal constant MAXTIME = 4 * 365 * 86400;

Tools Used

Manual review

Recommended Mitigation Steps

uint256 public constant oneYear = 31_557_600;


uint256 internal constant MAXTIME = 4 * 31_557_600;

Assessed type

Timing

The text was updated successfully, but these errors were encountered:

All reactions