User can not be stored to the holders array and lose rewards
Summary
In case if user will remove his full stake position during 1 day from his new pending position then he will not be stored to the holders array and lose rewards.
Vulnerability Details
increasePosition function creates pending stake for a user. Also user is added to the holders array. Each time, when consolidatePendingStakes function is called, then it fetches all pending stakes that are older than 1 day and removes them. Also user's position is increased then.
When decreasePosition is called, then user is removed from holders array in case if his current position is empty. Note, that consolidatePendingStakes is called before balance decrease.
Here is example, when user will be removed from holders array, even if he has stake.
user has position and is included in
holdersarrayuser increases position
after 3 hours user decreases position with all current balance, user is removed from
holdersarrayafter some time someone do action that calls
consolidatePendingStakesand user's position is not empty anymore, but he is not in theholdersarrayas result user that stakes tokens do not receive rewards and can't participate in liquidation
Impact
Loss of rewards for staker
Tools Used
VsCode
Recommendations
When you remove pending stake then add owner if doesn't exist
Lead Judging Commences
deletePosition-issye
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.