C01: PrizePool#sweepTimelockBalances can handle dup addresses

[asselstine]

No description provided.

[linear]

POOL-384 OZ Audit C01

The sweepTimelockBalances function accepts a list of users with unlocked balances to distribute. However, if there are duplicate users in the list, their balances will be counted multiple times when calculating the total amount to withdraw from the yield service. This has two consequences:

• After the transaction is complete, the excess amount withdrawn will be held by the PrizePool contract (instead of the yield service) and will not earn interest
• Eventually, a user will want to withdraw that amount, which will fail when the PrizePool attempts to redeem it from the yield service. This means the last users to withdraw will lose their funds. Interestingly, in the case of the CompoundPrizePool, this is partially mitigated by the “[H01] Improper Error Handling” issue.

Consider checking for duplicate users when calculating the amount to withdraw.