A cashed variable in the contract

In an auditors' Twitter space it is used to brag about great contests payouts or private audits with multiple issues found. But no one ever admits that they might miss an obvious bug.

One day I missed a so-obvious High severity bug that I'm shy to talk about.

This happened in a Pooltogeter protocol contest in March. There was a single High severity bug. Just take a look at the code, what do you see here?

The third line of the func caches the total yield fee balance accrued in the contract and hence, the fee recipient is entitled to.

uint256 _yieldFeeBalance = yieldFeeBalance;

The next line enforces a comparison check making sure the claimer can't grief other depositors.

Later it subtracts the cached total yield fee balance from the state yield fee balance:

yieldFeeBalance -= _yieldFeeBalance;

So if say Bob, the claimant, tried to only mint 50 shares at this point in time with the _shares argument, the code wipes the entire balance of 100!

So any fee claim by a fee recipient lesser than the accrued internal accounting of the yieldFeeBalance is lost and locked in the contract with no way to pull out the funds.

That was my lesson.

Now I always check for any cashed variables.