UserManager: totalStaked ≥ totalFrozen should be checked before and after totalFrozen is updated

[code423n4]

Handle

itsmeSTYJ

Vulnerability details

Impact

The require statement in updateTotalFrozen and batchUpdateTotalFrozen to check that totalStaked ≥ totalFrozen should be done both before and after _updateTotalFrozen is called to ensure that totalStake is still ≥ totalFrozen. This will serve as a sanity check to ensure that the integrity of the system is not compromised.

[GalloDaSballo]

Agree with the finding and the recommendation of adding an additional require to ensure protocol invariants aren't broken