Description

Keeper bots are responsible for calling forceUnlock in order to unlock expired lock positions after their lock time has passed. However, if forceUnlock is not called on an expired lock position, it continues earning rewards.

Impact

If the keeper bot fails to forceUnlock an expired position and a rewards distribution happens, the expired position will accrue undue rewards.

Recommendations

To fix this on chain while keeping constant-time rewards allocations and distributions, the cumulative rewards-per-sharepoint value can be saved in an array instead of an updated state variable, alongside the time of the rewards distribution. Then, unlock can check if a reward distribution has happened since the lock expired — if it did, then either binary search for the value at expiration time or require that the user supply it as a parameter.

Remediation

Avantis remediated this issue by ensuring that the unlock bots have reasonably low latency.