AUDIT: 36903

[coachchucksol]

• Call process_update_vault first thing in the mint_to function. This is the least invasive way of solving this issue, at the cost of some double checking of accounts

Entry:
36903 (High) "The vault reward mechanism can be sandwiched by MEV"

UpdateVaultBalance is not strictly required before mint, or other actions involving vault.deposited_tokens, so new depositors can claim an unfairly large portion of rewards. The reports describe a scenario where rewards have been deposited, but the vault balance has not yet been updated. If a new depositor mints tokens before the balance update, they are included in the reward distribution calculation. In this way, they can claim a share of rewards that they did not contribute to.

The following are duplicates of this submission:

37311 "Attackers can steal rewards by depositing, updating vault balance and withdrawing immediately after a large reward is deposited"

27295 "Rewards can be stolen by depositing immediately after reward tokens get sent to vault"

37315 "Theft of Unclaimed Yields Due to Improper Reward Distribution in Vault Program"

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.71%. Comparing base (c736bca) to head (0fd6ce2).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #192      +/-   ##
==========================================
+ Coverage   80.70%   80.71%   +0.01%     
==========================================
  Files          91       91              
  Lines        9944     9953       +9     
==========================================
+ Hits         8025     8034       +9     
  Misses       1919     1919              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ebatsell]

Need to remove overlap code from #191

[buffalu]

this can brick minting if gets in state where effective rate isn't ok?