stake.link

Summary

withdraw function didn't implement checks for withdrawal period as contained in the protocol's documentation

Vulnerability Details

Here's what the documentaion says:

"The withdrawal period can only be initiated after at least half of the total locking duration has elapsed and the withdrawal period itself will have a duration of exactly half the total locking duration."

See: https://docs.stake.link/core-contracts/sdlpool

Based on the documentatin:

• Withdrawal can start after half the lock duration passes

• Withdrawal period lasts for half the total lock duration

The withdraw function successfully implemented the first condition:

if (expiry > block.timestamp) revert TotalDurationNotElapsed();

However, the withdraw function didn't ensure that the withdraw period lasts for half the total lock duration.

Here's a practical example:

• The total lock duration is set by the user, e.g. 1 year

• The user can initiate withdrawal after half the lock duration, e.g. 6 months

• Once initiated, the withdrawal period lasts for half the total duration, e.g. another 6 months - this step is not included in the withdraw function.

Impact

There is no withdrawal duration

Tools Used

Manual review

Recommendations

As per the documentation, the withdraw function should have a withdraw duration.