Beginner FriendlyFoundryDeFi
100 EXP
View results
Submission Details
Severity: high
Valid

User can stake and unstake repeatedly to earn High amount of reward points

Summary

User is allowed to stake and unstake as many times as possible there is no check in the server or the contract to limit this behaviour , user can utilise this to get more rewards by staking and unstaking a minimum amount repeatedly.

Vulnerability Details

There is no check or any reduction in rewards when an user unstakes the amount already staked amount.

Impact

User can use this to drain the rewards given during the $STEAK token airdrop. An user can use this technique to acquire all the $STEAK tokens thus becoming the shark in the STEAK environment.

Proof Of Concept

function testStakeAndUnstake() public {
//depostiting an amount into the contract
uint256 stakeAmount = 1 ether;
vm.deal(user1, 1 ether);
uint256 user1BalanceBefore = user1.balance;
for (uint i=0 ; i<10 ; i++)
{
//user1 staking amount
vm.startPrank(user1);
steaking.stake{value: 1 ether}(user1);
vm.stopPrank();
//user1 unstake amount
_unstake(user1, stakeAmount, user1);
}
uint256 user1BalanceAfter = user1.balance;
assertEq(user1BalanceAfter, user1BalanceBefore);
}

Tools Used

-> Manual Review

-> Foundry

Recommendations

instead of logging Stake event on every stake, emit the amount staked only when the owner calls the setVaultAddress fucntion OR add a time dependent way to calculate the rewards

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Steaking server is not taking unstakes into account

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.