Credit accrual is done twice in `award`

[code423n4]

Handle

cmichel

Vulnerability details

The credit is accrued twice in award. The first accrual happens implicitly when calling _mint through the ControlledToken(controlledToken).controllerMint call which then performs the PrizePool.beforeTokenTransfer hook which accrues credit. Then the explicit accrual is done again. It should be enough to only add the extraCredit without doing another accrual (calling _updateCreditBalance(..., newBalance= _applyCreditLimit(controlledToken, controlledTokenBalance, uint256(creditBalance.balance).add(credit).add(extra))) instead).

[asselstine]

We could:

• remove the credit accrual from the beforeTokenTransfer for minting
• Call _accrueCredit everywhere that _mint is called, and for award ensure that we call it before mint and with the extra credit