Remainder is reset to 0 when subsequent lock is made outside the Lockdrop Period

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L311-L398

Vulnerability details

Impact

Impact : Medium Likelihood : High

When a user makes an initial lock within the lockdrop period and has a remainder, and then makes a subsequent lock outside the lockdrop period, the handling of the remainder can lead to issues.

Specifically, if the subsequent lock outside the lockdrop period resets the remainder, it can lead to an incorrect calculation of NFT eligibility in future lockdrop periods.

Proof of Concept

NFT Cost: 1000 USDB

1. Initial Lock (Within Lockdrop Period):

Bob locks 500 USDB Remainder: 500 USDB

2. Subsequent Lock (Outside Lockdrop Period):

Bob locks another 200 USDB.

The previous remainder of 500 USDB from the first lock is reset to 0 and not considered correctly for future NFT eligibility calculation.

Tools Used

Manual Review, Foundry

Recommended Mitigation Steps

odify the _lock function to ensure that the remainder from locks within the lockdrop period is not erased by subsequent locks outside the lockdrop period.

Assessed type

Math

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Invalid