Delayed force unlock causes reward insolvency
Description
Keeper bots are responsible for calling forceUnlock
in order to unlock expired lock positions after their lock time has passed. However, if forceUnlock
is not called on an expired lock position, it continues earning rewards.
Impact
If the keeper bot fails to forceUnlock
an expired position and a rewards distribution happens, the expired position will accrue undue rewards.
Recommendations
To fix this on chain while keeping constant-time rewards allocations and distributions, the cumulative rewards-per-sharepoint value can be saved in an array instead of an updated state variable, alongside the time of the rewards distribution. Then, unlock can check if a reward distribution has happened since the lock expired — if it did, then either binary search for the value at expiration time or require that the user supply it as a parameter.
Remediation
Avantis remediated this issue by ensuring that the unlock bots have reasonably low latency.