Ch_301 - Users could be arbitrarily ejection from the rollover queue

[sherlock-admin]

Ch_301

medium

Users could be arbitrarily ejection from the rollover queue

Summary

Vulnerability Detail

In case Bob has already queued up a rollover
Let's say: ownerToRollOverQueueIndex[address(Bob)] == X
and ownerToRollOverQueueIndex[address(Alice)] == rolloverQueue.length - 1
and rolloverAccounting[epoch Y] == X+5
epoch Y exists and has not started yet
rolloverQueue.length == Z and (X+5 < Z)

Bob will invoke delistInRollover() this logic will execute

else {
            rolloverQueue[index] = rolloverQueue[length - 1];
            rolloverQueue.pop();
            ownerToRollOverQueueIndex[rolloverQueue[index].receiver] = index +1;
            delete ownerToRollOverQueueIndex[_owner];
        }

So Alice queue will be ownerToRollOverQueueIndex[address(Alice)] == X
As we know rolloverAccounting[epoch Y] == X+5

Now Alice thinks she will be in epoch Y But unfortunately, this will never happen
in this way, she could be only in the next epoch Y+1

Impact

The logic of delistInRollover() could corrupt the rollover queue

Code Snippet

Tool used

Manual Review

Recommendation

You need to check rolloverAccounting[ ] for the next epoch with rolloverQueue[index]

Duplicate of #72