Platform: Code4rena
Start Date: 04/01/2022
Pot Size: $25,000 USDC
Total HM: 3
Participants: 40
Period: 3 days
Judge: Ivo Georgiev
Total Solo HM: 1
Id: 75
League: ETH
Rank: 33/40
Findings: 1
Award: $30.27
π Selected for report: 0
π Solo Findings: 0
30.2712 USDC - $30.27
danb
at the end of unlock, _updateXDEFIBalance is called, it updates distributableXDEFI, meaning that in a call to updateDistribution after unlock, nothing will change.
calling unlock before rewards are updated will delete them.
a malicious user can create a flashbot to detect updateDistribution transactions, and frontrun them with unlock. this way they can prevent all users from getting all rewards.
remove calling _updateXDEFIBalance at unlock.
#0 - deluca-mike
2022-01-09T06:23:46Z
Technically valid, but this was expected, and we disagree with severity, as explained in the duplicate issue #30.