Yield update is overlooked during some short operations
Summary
Yield update is overlooked during some short operations.
Vulnerability Details
[Note: YIELD_DELAY_HOURS might be set wrongly (as per Constants.sol#L16). It's currently set to 1 second, contrary to its name which implies hours. I assume it should be 1 hour.]
Users are eligible to claim yield for shorts that have been active for over an hour.
Looking at YieldFacet#_distributeYield:
Yet, some operations in LibShortRecord, like merge, setFlagger, and resetFlag, change the updatedAt time of an existing short record and this can alter yield calculations.
See:
merge: LibShortRecord.sol#L328
setFlagger: LibShortRecord.sol#L409
resetFlag: LibShortRecord.sol#L426
Before altering the updatedAt, the system should distribute the yield so users receive the correct amount based on the original updatedAt value.
Impact
Users might not get the correct yield amount when they conduct certain short actions.
Tools Used
Manual
Recommendations
I recommend adding the following code just before executing any of the 3 short functions abovementioned.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.