Summary

The WStETHMock contract has a wrap function allowing users to convert stEth tokens into the wrapped token. However, there is an absence of a corresponding unwrap or withdrawal mechanism which a critical vulnerability, resulting in a potential permanent lock of stEth tokens within the contract. This lack of an exit strategy leaves users unable to reclaim their original tokens, impacting user accessibility.

Vulnerability Details

The contract does not provide a means for users to unwrap or withdraw stEth tokens once they have been wrapped using the wrap function.

Impact

Users may lose access to their stEth tokens indefinitely, impacting their ability to manage and utilize their assets. Also the absence of an unwrap function limits the utility of the contract, hindering its effectiveness as a wrapper for stEth tokens.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability, it is strongly recommended to introduce a secure function that allows users to unwrap or withdraw their stEth tokens from the contract, providing an exit strategy and preventing loss of funds.