Description

The distributeRewards function distributes rewards sent to the VeTranche, and it takes in a _totalLockPoints parameter that is expected to equal the contract's totalLockPoints state parameter. If it ever is not equal to that, then a different amount of rewards will be distributed after all shareholders claim rewards, causing either locked funds or insolvency depending on the direction.

Impact

There is no impact, because the VaultManager always correctly calls getTotalLockPoints() to get this quantity to pass back into VeTranche.

However, this is a footgun, since if VeTranche is passed a _totalLockPoints that differs from its state totalLockPoints, it immediately becomes insolvent.

Additionally, it would save gas to have VeTranche read this parameter from its own state, instead of having the information pass from VeTranche to VaultManager back to VeTranche.

Recommendations

Remove this parameter and use the state variable totalLockPoints in VeTranche wherever the value is required.

Remediation

This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit 18b386c5↗.