`_withdrawBalancesTo()` - Either the owner but more likely approved `msg.sender` who didnt know any better, OR knows but is rogue, calls this internal function via the calling functions (`withdrawBalances` or `withdrawBalancesTo`) DURING an active distribution, which is not allowed, but possible here.

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/3adc34600561077ad4834ee9621060afd9026f06/liquid-infrastructure/contracts/LiquidInfrastructureNFT.sol#L171-L186

Vulnerability details

Because there's no checks here to check if LockedForDistribution. This check is ONLY in the ERC20 contract, and should be added here too. This likely means can transfer tokens to ERC20 contract during partial distributions and cause inconsistent/unexpected state changes to balances of ERC20 contract, which could affect share of distributions to holders, unfair distributions in other words.

So a check needs to be implemented in _withdrawBalancesTo function, not the two calling functions, to check the value of LiquidInfrastructureERC20.LockedForDistribution(). If true, should revert and throw error.

Assessed type

Invalid Validation

[0xRobocop]

Invalid

[c4-pre-sort]

0xRobocop marked the issue as insufficient quality report

[c4-judge]

0xA5DF marked the issue as unsatisfactory: Invalid

[0xA5DF]

No impact demonstrated