Local variable shadowing in SablierFlow::_withdraw function can cause confusion and bugs in the code.
Summary
The _withdraw function in the SablierFlow contract has a local variable named protocolFee that shadows a state variable of the same name from the SablierFlowBase contract. This shadowing can lead to confusion and potential bugs, making it unclear which protocolFee is being referenced in calculations.
Vulnerability Details
The _withdraw function in the SablierFlow contract shadows the protocolFee state variable from the base contract (SablierFlowBase) with a local variable of the same name.
Impact
This shadowing can lead to confusion and potential bugs in the code. It might not be clear if the local protocolFee refers to the total protocol fee or the protocol fee for the current token. If the intention is to use the base contract's protocolFee, using the same name for the local variable might lead to incorrect calculations or logic errors.
Tools Used
Recommendations
Rename the local variable to avoid shadowing. For example:
Then use localProtocolFee instead of protocolFee in the subsequent calculations.
This change improves code clarity and reduces the risk of unintended behavior due to naming conflicts. It ensures that the correct protocolFee is being used in the calculations, preventing potential logical errors.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.