A CEI violation and bad state update sequence in Staking.sol
's deposit()
allows for the locking of reward WETH.
The staking protocol gets WETH used for rewarding stakers by it getting sent through an ERC20 transfer. The issue arises due to deposit()
first taking in the staking tokens instead of first updating the balances.
This leads to an offset in the delta calculation in the update right after the transfer.
This will make the protocol calculation lock a specific amount of WETH for the deposited amount of staking tokens as well.
Here is a PoC demonstrating the issue at hand:
https://gist.github.com/CrisCodesCrap/38cb06e3864ace97734a1d86a61de733
The delta ratio calculation will be offset, which will lead to some amount staking reward loss for every staker in the contract.
Manual Review
Consider keeping the balances of tokens in the protocol only as accounting variables, not as the real values the contract owns. A good example would the how the WETH balance in the contract is handled. Also, consider following the CEI pattern in this function and in every other one in the protocol. https://fravoll.github.io/solidity-patterns/checks_effects_interactions.html
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.