Inconsistent Unstaking Behavior Between unstake and unstakeAll Functions
Summary
The unstakeAll function in the FjordStaking contract inconsistently handles withdrawals compared to the unstake function, particularly regarding deposits made in the current epoch. While unstake allows immediate withdrawal from the current epoch, unstakeAll does not, leading to potential issues with accessing funds deposited in the current epoch.
Vulnerability Details
Inconsistent Epoch Handling: The unstake function allows users to immediately withdraw tokens from the current epoch, updating the newStaked variable accordingly. However, the unstakeAll function does not permit withdrawal of tokens from the current epoch. It compares the deposit epoch with the current epoch and skips any deposits made in the current epoch, preventing users from accessing their funds.
Partial Property Inheritance: The unstakeAll function should ideally mirror the behavior of the unstake function when it comes to handling deposits from the current epoch. The current implementation causes inconsistency, where the unstake function allows immediate access while unstakeAll does not, leading to confusion and potential loss of access to funds
Impact
Users may be unable to fully access their staked funds when using the unstakeAll function if the deposit was made in the current epoch. This discrepancy can result in users being unable to withdraw their complete balance, impacting their ability to manage their stakes effectively.
Tools Used
manual code review
Recommendations
Synchronize Epoch Handling: Update the unstakeAll function to handle deposits from the current epoch similarly to how the unstake function does. Allow users to withdraw deposits from the current epoch, ensuring consistent behavior across both functions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.