Not tracking tokens claimed minus deposit tokens (Locke.sol)

[code423n4]

Handle

0xwags

Vulnerability details

Impact

We are not keeping track of the number of tokens that is being decremented /removed from deposit tokens. It is only accounting for every token that is being claimed. Each amount of token that we are redeeming should be subtracted from the amount of tokens attributable to the specific deposited tokens.

Proof of Concept

Lines 532-549

Tools Used

Manual Analysis

Recommended Mitigation Steps

consider adding Deposittokens-=redeemeddeposittokens ; at line 545

[brockelmore]

depositTokenAmount is suppose to be a highwater mark for total deposited tokens and redeemed is suppose to keep track of the redeemed. to get current attributable tokens, you subtract redeemed from highwater mark

[0xean]

Closing as invalid based on sponsors explanation of the variable intention.