Short Olive Penguin - notifyRewardAmount calls updateIndex() twice, making the second update useless
#116
Labels
Low/Info
A Low/Info severity issue.
Non-Reward
This issue will not receive a payout
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
sherlock-admin4
added
Low/Info
sherlock-admin3
added
Sponsor Confirmed
|
The protocol team fixed this issue in the following PRs/commits: |
|
The Lead Senior Watson signed off on the fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Short Olive Penguin
Low/Info
notifyRewardAmountcallsupdateIndex()twice, making the second update uselessSummary
StakedEXA::notifyRewardAmount()can only be called by the admin role, in the call trace, theupdateIndex()is called twice, first is line 454https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L454
second is line 210
https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L210
Vulnerability Detail
When first call the
updateIndex(), it setsrewardData.indextoglobalIndex(reward), deep into theglobalIndex(), there is(rewardData.rate * (lastTimeRewardApplicable(rewardData.finishAt) - rewardData.updatedAt)), becauserewardData.updatedAtis set tolastTimeRewardApplicable(rewardData.finishAt)at line 122.So the second call ofupdateIndex()will result inrewardData.rate * 0, which is meaning less.Impact
multiple call may cause undesirable behavior and results in unexpected results.
Code Snippet
https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L454
https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L210
Tool used
Manual Review
Recommendation
Remove the first
updateIndex()The text was updated successfully, but these errors were encountered: