Description

According to the comments, the owner of the contract PreDeposit can update the deposit start time before the current start time. However, the function setDepositStartTime compares the block.timestamp to the parameter newDepositStartTime instead of comparing to the state variable depositStartTime.

/**
 * @dev Updates the deposit start time. Can only be called by owner before current start time.
 * @param newDepositStartTime New deposit start timestamp
 */
function setDepositStartTime(uint256 newDepositStartTime) external onlyOwner {
  if (block.timestamp > newDepositStartTime) revert DepositAlreadyStarted();
  if (newDepositStartTime <= depositStartTime) revert DepositStartMustOnlyBeExtended();
  if (newDepositStartTime >= depositEndTime) revert DepositEndMustBeAfterStart();

  depositStartTime = newDepositStartTime;
}

Impact

The owner could update the deposit start time during the predeposit period. The predeposit status may change from started to not started, affecting the user's deposit or withdrawal.

Recommendations

Consider making modifications based on the following code.

-if (block.timestamp > newDepositStartTime) revert DepositAlreadyStarted();
+if (block.timestamp > depositStartTime) revert DepositAlreadyStarted();

Remediation

This issue has been acknowledged by Plaza Finance, and a fix was implemented in commit d6e75ec0↗.