In MlumStaking.sol emergencyWithdraw(uint256 tokenId) does not update the pool before withdrawing

Summary

emergencyWithdraw(uint256 tokenId) in MlumStaking.sol should do an _updatePool() to correctly update the reward parameters just like the other withdraw functions

Vulnerability Detail

   function emergencyWithdraw(uint256 tokenId) external override nonReentrant {
        _requireOnlyOwnerOf(tokenId);

        StakingPosition storage position = _stakingPositions[tokenId];

        // position should be unlocked
        require(
            _unlockOperators.contains(msg.sender)
                || (position.startLockTime + position.lockDuration) <= _currentBlockTimestamp() || isUnlocked(),
            "locked"
        );
        // emergencyWithdraw: locked

        uint256 amount = position.amount;

        // update total lp supply
        _stakedSupply = _stakedSupply - amount;
        _stakedSupplyWithMultiplier = _stakedSupplyWithMultiplier - position.amountWithMultiplier;

        // destroy position (ignore boost points)
        _destroyPosition(tokenId);

        emit EmergencyWithdraw(tokenId, amount);
        stakedToken.safeTransfer(msg.sender, amount);
    }

An _updatePool() should be called to correctly update the _accRewardsPerShare before withdrawing the amount and affecting the totalsupply or else it might affect the reward calculation of other users

Impact

Without correctly updating the _accRewardsPerShare , future reward calculation might be affected.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L536C2-L560C6

Tool used

Manual Review

Recommendation

Call the _updatePool() before withdrawing the amount and affecting the totalsupply

Duplicate of #376

sherlock-audit / 2024-06-magicsea-judging

LeFy - In MlumStaking.sol emergencyWithdraw(uint256 tokenId) does not update the pool before withdrawing #638