Potential state inconsistency due to incorrect order of operations
Summary
Internal function contains a potential vulnerability related to the order of operations when updating values. This could lead to issues with consistency and accuracy of state changes.
Vulnerability Details
In the _redeem function, the unredeemedEpoch and totalStake values are updated after the rewards calculation is performed. While this might work in most cases, it introduces a risk of inconsistent state if the function is interrupted (e.g., by a reentrancy attack or unexpected failure) after the rewards calculation but before the state updates.
The vulnerability arises because the function does not follow the "Checks-Effects-Interactions" (CEI) pattern strictly. By updating critical state variables after performing calculations, there is a risk that these updates may not occur if an error or reentrancy attack happens at the wrong time.
Impact
Failure to update the
unredeemedEpochandtotalStakedvalues before calculating rewards can lead to inconsistencies in user data, potentially allowing for incorrect reward calculations in the future.Although the function is internal and not directly exposed to users, if an external call indirectly triggers this function in an unexpected manner, the lack of strict state management could be exploited.
Tools Used
Manual review
Recommendations
Follow the CEI pattern.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.