State updates in distribute() function deviate from CEI pattern best practices
distribute() interleaves matToken.safeTransfer external calls with distributedAmount += share local state updates. Already protected by nonReentrant, but it deviates from strict CEI ordering and is harder to reason about.
Description
The distribute() function in the FeeDistributionVault contract interleaves external calls (matToken.safeTransfer()) with local state updates (distributedAmount += share). While this implementation is protected by the nonReentrant modifier, it deviates from the Checks-Effects-Interactions (CEI) pattern best practice.
Impact
Defence-in-depth concern only. The nonReentrant modifier already prevents reentrancy in this function. Following CEI in addition makes the function easier to audit and lowers the risk of a future change introducing a bug.
Recommendation
Refactor the distribute() function to strictly follow the CEI pattern by calculating all shares first, then performing all external transfers afterward. This would improve code quality and reduce the risk of introducing vulnerabilities in future updates.
