Users can miss out on some rewards

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L311-L398

Vulnerability details

Impact

Users can receive less rewards than they were entitled to during a lockdrop event because of wrong code structure.

Proof of Concept

When a user calls lock during a lockdrop event the amount they deposit is used in order to mint a certain number of NFTs and all of the unused funds are saved in remainder in order to be used on the next transaction.

If the user wants to increase their lock amount not during a lockdrop event the variable remainder is set to 0 even if it held funds before. The variable is declared and is left with its default value of 0 and is only changed during a lockdrop event. Then it is used to set the user's actual remainder lockedToken.remainder = remainder;

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L344-L379

After consulting with a member of the contract's team they confirmed that this behavior is unintended and remainder is supposed to remain the same when there is no lockdrop event.

The issue is also not that uncommon since anyone can add 0 funds to your lock by calling lockOnBehalf and reset your remainder value back to 0

Tools Used

Manual review

Recommended Mitigation Steps

set remainder to uint256 remainder = lockedToken.remainder to ensure that the value remains.

Assessed type

Context

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Invalid