Fjord Token Staking

Description

The FjordStaking::unstakeAll function allows users to unstake all their tokens across all active epochs. However, if some of the user's tokens are still within the lock cycle (i.e., the minimum required epochs for staking have not yet passed), these tokens will remain locked and cannot be unstaked. The function currently provides no feedback to inform the user that some of their tokens remain locked, potentially leading to confusion or frustration when users expect all their tokens to be unstaked.

Impact

While this issue does not pose a security risk, it significantly impacts user experience by leaving users unaware of why some of their tokens were not unstaked. Users may mistakenly believe that the contract failed to execute properly or that an error occurred, leading to unnecessary support inquiries or negative perceptions of the staking process.

Proof of Concepts

The following scenario illustrates the issue:

1. A user stakes tokens across multiple epochs.

2. The user calls FjordStaking::unstakeAll expecting all their tokens to be unstaked.

3. Some of the user's tokens remain locked due to the lock cycle, but the function does not inform the user of this fact.

4. The user receives fewer tokens than expected and may not understand why the remaining tokens are still locked.

Code snippet from FjordStaking::unstakeAll:

This line skips the unstaking process for any deposits where the lock cycle has not passed, but no feedback is provided to the user.

Recommended mitigation

To enhance user experience and transparency, consider implementing the following improvements:

1. Emit Events for Locked Tokens: Emit an event such as TokensLocked(address indexed user, uint16 indexed epoch, uint256 amountLocked); whenever tokens remain locked due to the lock cycle. This informs users about the status of their tokens.

2. Return Detailed Information: Modify the return value of unstakeAll to include information about the total amount of tokens that remain locked. This will allow users to see not only how many tokens were unstaked but also how many remain locked.

3. Provide Detailed Output in the Frontend: Ensure that the user interface clearly communicates the status of locked tokens when unstakeAll is called, so users are fully aware of the state of their staked tokens.