Summary

While calling the manageUsersInPrivatePool function, state variables poolData.rate and poolData.lastUpdate are repeatedly updated with the same values.

Vulnerability Details

The manageUsersInPrivatePool function looks at the provided list of user and amounts and calls either _stake or _withdraw for each user where the deposited value doesn't correspond with the provided amount.
For each _stake and withdraw call performs an update of poolData after performing the transfer. However, currentPoolRate is computed before the for loop that iterates through the provided user list, and block.timestamp is constant as the update is performed in the same transaction. Consequently, gas is wasted for each user that needs updating by re-setting poolData.rate and poolData.lastUpdate with the same values.

Impact

Gas is spent to perform redundant operations

Tools Used

Remix
Manual inspection

Recommendations

Update _stake and withdraw with a new function argument "bulk". It shall be used to avoid performing update of these two values as following
if (bulk == false) {
poolData.lastUpdate = uint128(block.timestamp);
poolData.rate = currentPoolRate
}

stake shall call _stake with bulk=false
withdraw shall call _withdraw with bulk=false
manageUsersInPrivatePool shall call both functions with bulk=true, and perform the update of poolData