Description:
The _amount
parameter in the unstake
function is only validated to ensure that it is greater than 0 and less than or equal to the user’s staked amount. However, the function does not account for edge cases such as unstaking a very small amount of ETH (e.g., a fraction of a wei) that might not be practical or meaningful in the context of the protocol.
Impact:
Allowing users to unstake very small amounts of ETH could lead to unnecessary transactions that consume gas without providing significant value. This could also clutter the blockchain with unnecessary events and data, reducing the overall efficiency and user experience of the protocol.
Proof of Concept:
Consider the following scenario:
A user
has 1 ETH staked and attempts to unstake 0.000000000000000001 ETH (1 wei).
The function would process this transaction, consuming gas and emitting an event for a negligible amount of ETH.
Recommended Mitigation:
Set a Minimum Unstaking Threshold: Introduce a minimum unstaking threshold to prevent users from unstaking impractically small amounts.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.