UsualSP::removeOriginalAllocation does not call _updateRewards causing user to lose all rewards earned from the allocation

Summary

_updateRewards is meant to accrue a user rewards to state and should be called before making any change to the users balance to ensure that the user doesnt lose rewards or earn too much however when removeOriginalAllocation is called, this doesnt happen causing the user too lose the rewards along with the allocation

https://github.com/sherlock-audit/2024-10-usual-labs-v1/blob/main/pegasus/packages/solidity/src/token/UsualSP.sol#L367-L384

Root Cause

_updateRewards is not called

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The user will lose all their rewards accrued from the removed allocation

PoC

assume a user bob has an original allocation of 100e18 and has earned 5e18 in rewards if removeOriginalAllocation, bob would also lose the 5 usual tokens he has earned in rewards

Mitigation

removeOriginalAllocation should call _updateReward before setting the user allocations to zero

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

089.md

089.md

UsualSP::removeOriginalAllocation does not call _updateRewards causing user to lose all rewards earned from the allocation

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

089.md

Latest commit

History

089.md

File metadata and controls

UsualSP::removeOriginalAllocation does not call _updateRewards causing user to lose all rewards earned from the allocation

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation