Unchecked `unstakeDelaySec` Parameter Can Lock Funds Indefinitely
Lines of code
https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/common/Stakeable.sol#L39-L42
https://github.com/eth-infinitism/account-abstraction/blob/f1c5c11b273b7ddae26bb20809419b33ccb8f043/contracts/core/StakeManager.sol#L73-L91
Impact
The lack of validation on the unstakeDelaySec parameter means that an excessively large value can be provided, effectively locking the funds forever since the delay cannot be reduced once set.
Proof of Concept
The Stakeable contract provides functionality to stake, unlock, and withdraw Ether on an EntryPoint. The addStake() function allows the owner to stake Ether on a specified EntryPoint. He needs to provide a value for unstakeDelaySec which determines the delay before the stake can be unlocked again. However, the unstakeDelaySec parameter is not validated against any maximum time limit. This means that that if a very high value is provided (by accident), this will lock the staked funds indefinitely.
Recommended Mitigation Steps
Implement a maximum limit for the unstakeDelaySec parameter to ensure that the delay period is within a reasonable and manageable timeframe and check the provided unstakeDelaySec against it.
Lead Judging Commences
finding-unchecked-unstakeDelaySec
Invalid, admin input error/call validation per [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.