AMOW - OCE_ZVE.forwardEmissions() will forward freshly deposited balance alongside decayed one

[sherlock-admin2]

AMOW

medium

OCE_ZVE.forwardEmissions() will forward freshly deposited balance alongside decayed one

Summary

Freshly pushed funds into OCE_ZVE.sol locker can be prematurely forwarded with currently decaying ones through forwardEmissions()

Vulnerability Detail

forwardEmissions() function catches the current ZVE balance of the OCE_ZVE locker and calls _forwardEmissions where it checks the decay rate and distributes the emissions.

    function forwardEmissions() external nonReentrant {
        uint zveBalance = IERC20(IZivoeGlobals_OCE_ZVE(GBL).ZVE()).balanceOf(address(this));
        _forwardEmissions(zveBalance - decay(zveBalance, block.timestamp - lastDistribution));
        lastDistribution = block.timestamp;
    }

If the function is called right after new funds are pushed into the locker, a portion of the fresh deposit will be immediately sent out despite not having decayed as the rest. It is profitable to wait for decay to accumulate and call the function right after new funds are pushed.

Impact

Unexpected behaviour / Unfair distribution of rewards

Code Snippet

    function forwardEmissions() external nonReentrant {
        uint zveBalance = IERC20(IZivoeGlobals_OCE_ZVE(GBL).ZVE()).balanceOf(address(this));
        _forwardEmissions(zveBalance - decay(zveBalance, block.timestamp - lastDistribution));
        lastDistribution = block.timestamp;
    }

Tool used

Manual Review

Recommendation

Implement forwardEmissions() call within pushToLocker() so lastDistribution counter will reset and start a new decay.

    function pushToLocker(address asset, uint256 amount, bytes calldata data) external override onlyOwner {
        require(
            asset == IZivoeGlobals_OCE_ZVE(GBL).ZVE(), 
            "OCE_ZVE::pushToLocker() asset != IZivoeGlobals_OCE_ZVE(GBL).ZVE()"
        );
        forwardEmissions(); // <----- add this 
        IERC20(asset).safeTransferFrom(owner(), address(this), amount);
    }

Duplicate of #282

[pseudonaut]

Not relevant, likely will call forwardEmissions prior anyways,

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

panprog commented:

medium, dup of #282. This issue describes slightly different scenario, but the core reason is the same - lack of emission reset, which makes new deposits forward some portion from previous update time, and using forwardEmission to reset it is not always possible, because it requires minimum of 100e18 token to forward.