code423n4 commented 2 years ago

Handle

hack3r-0m

Vulnerability details

https://github.com/XDeFi-tech/xdefi-distribution/blob/master/contracts/XDEFIDistribution.sol#L142

there is no incentive for end-users to call updateDistribution() function and hence the value of _pointsPerUnit being stale can result in improper calculations of distribution.

Tools Used

Manual Review

Recommended Mitigation Steps

call it internally before every lock
take precautions to check values are not stale i.e it was updated at least once in "x" blocks

deluca-mike commented 2 years ago

Agreed. We will call updateDistribution() before all locks, unlocks, and relocks.

deluca-mike commented 2 years ago

Duplicate #30

code-423n4 / 2022-01-xdefi-findings

stale `_pointsPerUnit` if `updateDistribution` frequently #190

Handle

Vulnerability details

Tools Used

Recommended Mitigation Steps