Summary

An issue has been identified in the deposit function where the sequence of operations can lead to inaccurate reward calculations for stakers. Specifically, the updateFor function should be called before the transferFrom function to ensure accurate accounting of staked tokens and rewards.

Vulnerability Details

In the provided deposit function, the TKN.transferFrom method is called before the updateFor method. The updateForfunction presumably updates the reward index or calculations based on the current balance of staked tokens in the contract. By transferring tokens into the contract before updating the staker's reward calculations, the function uses an inflated balance, which can lead to an inaccurate reward ratio for the staker.

This incorrect sequence can negatively impact stakers as it can lower the reward ratio added to their index. As a result, a portion of the rewards might remain locked in the contract, preventing stakers from fully benefiting from their staked tokens.

Impact

Stakers might receive fewer rewards than they are entitled to due to the inaccurate reward ratio calculation.

Tools Used

Manual Review

Recommendations

Modify the deposit function to call the updateFor method before the TKN.transferFrom method.