A user can lose boost without calling the withdraw function
Summary
boostAmount is wrongly removed from a user when initiateUnlock is called
Vulnerability Details
Here's the protocol's documentation:
"The withdrawal period can only be initiated after at least half of the total locking duration has elapsed and the withdrawal period itself will have a duration of exactly half the total locking duration. For the duration of the withdrawal period, the boost amount for the position will be set to 0 and only after this period has elapsed, the underlying SDL can be withdrawn."
See: https://docs.stake.link/core-contracts/sdlpool
Based on the documentation, boost will be zero at the withdrawal period. And boostAmount is removed at the time of initiating unlock.
However, a user may call initiateUnlock, and then decide not to withdraw (call withdraw function) anymore. Such a user would have lost his boost.
A user shouldn't lose his boost when withdraw function hasn't been called. This is because a user's fund would still be in the protocol's contract when boost is lost.
Impact
A user loses boostAmount when initiateUnlock is called without withdrawing
Tools Use
Manual review
Recommendations
boostAmount should be set to zero when the withdraw function is called.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.