An user can stake SDL and initiate unlocking phase without locking it. As a result the user will get rewards.
The problem is in the onTokenTransfer()
, in this function there is no check for the lockingDuration
so that it is not figured out whether the stake is to be locked or not, it just checks if the lockId
is 0 or not, if 0 then it calls _storeNewLock()
with that id, as a result the position is locked which is not intended to lock.
Run the test:
As shown in POC one can stake very low amount of SDL and his position will automatically be locked and he will able to get rewards. It is an unwanted state for a protocol.
Manual analysis
Put a check in onTokenTransfer()
for lockingDuration
, if it is set to 0 then don't call _storeNewLock()
, instead create a new storage which store all stakes which is not locked & put it into that.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.