SynthVault withdraw forfeits rewards

[code423n4]

Handle

cmichel

Vulnerability details

Vulnerability Details

The SynthVault.withdraw function does not claim the user's rewards. It decreases the user's weight and therefore they are forfeiting their accumulated rewards. The synthReward variable in _processWithdraw is also never used - it was probably intended that this variable captures the claimed rewards.

Impact

Usually, withdrawal functions claim rewards first but this one does not. A user that withdraws loses all their accumulated rewards.

Recommended Mitigation Steps

Claim the rewards with the user's deposited balance first in withdraw.

[verifyfirst]

We understand there is a risk of losing unclaimed rewards if a user directly interacts with the synth-vault and not the DAPP. This is a design choice to protect the withdrawal function. We affirm the synthReward variable to be culled.