Checks-effects-interactions pattern broken
The function claimRebate
transfers the USDC to the user before setting rebates
to zero.
function claimRebate() external {
usdc.transfer(msg.sender, rebates[msg.sender]);
rebates[msg.sender] = 0;
}
Although this is currently not a security issue, if the protocol decides to use any other token in the future with hooks on transfer, it would be a security risk.