Internal Vault Functions Update State After External Calls
Description
Two internal vault operation functions in the protocol update state variables after making external calls, which deviates from the best practice Checks-Effects-Interactions pattern. While these are internal functions with limited exposure, maintaining consistent patterns across the codebase is important for code quality and maintainability.
Affected code
Vulnerability details
The core issue lies in the sequencing of operations within both internal vault functions. The _withdrawFromVault function performs the withdrawal operation before decreasing totalVaultDeposits, while _depositIntoVault executes the approve and deposit calls before increasing totalVaultDeposits. This ordering deviates from the Checks-Effects-Interactions pattern.
Since these are internal functions, they can only be called by other functions within the contract, limiting the potential impact. The functions _ensureLiquidity and _rebalanceLiquidity use these vault operation functions as part of their implementation.
Tools Used
Manual Review
Recommended Mitigation Steps
While the impact is limited due to the internal nature of these functions, it's recommended to follow the Checks-Effects-Interactions pattern for consistency:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.