TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing checks to prevent withdrawal during `vestingPeriod`

aravn

Summary

Typically, a vesting period ensures that users cannot withdraw their staked tokens before a certain time has passed.
This is usually enforced by a check within the withdraw function.

TempleGoldStaking is missing such checks when an user attempts to withdraw before the end of vesting period.

Vulnerability Details

TempleGoldStaking contract implements a minimum vesting period of 1 Week.

This vestingPeriod deadline is set in StakeInfo.fullyVestedAt ,
every time an user calls the stake or stakeFor function.

https://github.com/TempleDAO/temple/blob/templegold/protocol/contracts/templegold/TempleGoldStaking.sol#L498

However the withdrawFor function currently has no conditions in place
to check if the user's StakeInfo.fullyVestedAt deadline has passed.

https://github.com/TempleDAO/temple/blob/templegold/protocol/contracts/templegold/TempleGoldStaking.sol#L433-L461

This allows an user to withdraw anytime.

Impact

  1. Premature Withdrawals:
    Users can withdraw their staked tokens before the vesting period is over.
    This undermines the purpose of the vesting period.

  2. If the vesting period is an essential part of the staking contract's design,
    allowing premature withdrawals can impact the contract's intended economic incentives and security model.

Tools Used

Foundry, Manual Review

Recommendations

One solution is to add the following check in the withdrawFor function

require(block.timestamp >= stakeInfo.fullyVestedAt, "Vesting period has not passed");
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.