Position holders may get less or even no rewards due to incorrect returned stake value
Summary
Due to an incorrectly returned value in stake function, position holders may be subject to loss of rewards.
Vulnerability Details
Apparently the stake function in LiquidationPool contract returns the stake value provided by position holders. This stake value is used in distributeAssets to calculate holder rewards. However, the function will return the wrong token of stake:
This will cause, when TST token is more than EUROs token, the stake amount will be EUROs amount instead of TST, this makes position holder to get potentially less or even no reward.
Impact
Suppose an user deposited 10 * 10 ** 18 EUROs tokens for a position, since the holder has no TST deposited, so when stake is called, it would return 0, as 0 > 10*10**18 ? 10*10**18 : 0, the false result will makes the function return the later amount, which is 0. Then when rewards is calculated, since according to the stake function, user stake is 0, then this user will not get any reward, despite having deposited some amount of EUROs tokens in the pool.
Tools Used
Manual review.
Recommendations
Revise the stake function to:
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.