setEpochDuration() breaks the user's expected exchangeRate

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L546-L552

Vulnerability details

Impact

Extended epoch time, resulting in exchangeRate changes that affect user revenue

Proof of Concept

MANAGER_ADMIN can modify epochDuration with setEpochDuration()
epochDuration is an important factor in the calculation of whether to enter a new epoch

However, setEpochDuration() does not first perform an updateEpoch (if it needs to be currently satisfied to enter a new epoch, it enters a new epoch)
As a result, it may not be possible to switch to the new epoch because the epochDuration has grown, and the old epoch is still used.

As each epoch will have its own exchangeRate, the user has already estimated the exchangeRate before the end of the epoch, so the requestMint() is performed.
Since setEpochDuration changed the epochDuration, the exchangeRate changed. when exchangeRate changes ,maybe affect user revenue

So it is recommended to calculate the old epochDuration for the elapsed time to get the correct exchangeRate

Tools Used

Recommended Mitigation Steps

add updateEpoch

  function setEpochDuration(
    uint256 _epochDuration
- ) external onlyRole(MANAGER_ADMIN) {
+ ) external updateEpoch onlyRole(MANAGER_ADMIN) {
    uint256 oldEpochDuration = epochDuration;
    epochDuration = _epochDuration;
    emit EpochDurationSet(oldEpochDuration, _epochDuration);
  }

[c4-judge]

trust1995 marked the issue as primary issue

[c4-judge]

trust1995 marked the issue as satisfactory

[ypatil12]

Dup Fixed here: https://github.com/ondoprotocol/flux/issues/167

[c4-sponsor]

ali2251 marked the issue as sponsor confirmed

[C4-Staff]

JeeberC4 marked issue #205 as primary and marked this issue as a duplicate of 205