Open code423n4 opened 2 years ago
Yup, this is good. I tested it and it saves deploy and runtime gas even when using all unchecked math.
amountUnlocked_ = _destroyLockedPosition(msg.sender, tokenId_);
if (lockAmount_ > amountUnlocked_) revert InsufficientAmountUnlocked();
newTokenId_ = _createLockedPosition(lockAmount_, duration_, bonusMultiplier_, destination_);
unchecked {
if (amountUnlocked_ - lockAmount_ != uint256(0)) {
IERC20(xdefi).transfer(destination_, amountUnlocked_ - lockAmount_);
}
}
_updateDistributableXDEFI();
resolved, valid finding
Handle
WatchPug
Vulnerability details
https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L120-L125
https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L175-L180
Recommendation
Change to:
withdrawAmount
;amountUnlocked_ - lockAmount_
.