Beginner FriendlyFoundryDeFi
100 EXP
View results
Submission Details
Severity: low
Valid

User CANNOT Unstake her staked ETH after staking period has ended

Summary

If the Staking_period had already ended, a user changes her mind and decides NOT to deposit her already staked ETH into the vault, It becomes impossible for her to unstake and claim her ETH

Vulnerability Details

Since the protocol design and logic only allows a user to unstake only within the stake_period, user funds get stuck with the protocol if she did not unstake before that period of 4 weeks elapse

PoC

here is a foundry test for the vulnerability

function testUnstakingFailsAfterStakingPeriodAndUserWantsOut() public {
uint256 dealAmount = 1 ether;
_stake(user1, dealAmount, user1);
_endStakingPeriod();
uint256 stakedAmout = steaking.usersToStakes(user1);
vm.expectRevert(bytes(STEAK__STAKING_PERIOD_ENDED));
_unstake(user1, stakedAmout, user1);
}

Impact

  • users are forced against their will to deposit into the vault else the funds get stucked in the protocol

  • poor UX and centralization issue as users will be forced to deposit their staked ETH before they can claim them

Tools Used

  • manual review

  • foundry test

Recommendations

as far as users have not deposited their staked ETH into the vault, Steak::unstake should allow them to unstake their ETH any time they want

@external
def unstake(_amount: uint256, _to: address):
"""
@notice Allows users to unstake their staked ETH before the staking period ends. Users
can adjust their staking amounts to their liking.
@param _amount The amount of staked ETH to withdraw.
@param _to The address to send the withdrawn ETH to.
"""
- assert not self._hasStakingPeriodEnded(), STEAK__STAKING_PERIOD_ENDED
assert _to != ADDRESS_ZERO, STEAK__ADDRESS_ZERO
stakedAmount: uint256 = self.usersToStakes[msg.sender]
assert stakedAmount > 0 and _amount > 0, STEAK__AMOUNT_ZERO
assert _amount <= stakedAmount, STEAK__INSUFFICIENT_STAKE_AMOUNT
self.usersToStakes[msg.sender] -= _amount
self.totalAmountStaked -= _amount
send(_to, _amount)
log Unstaked(msg.sender, _amount, _to)
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

In case of a delay or failure to deploy the vault, user's funds are stuck inside the Steaking ctr

Appeal created

cryptedoji Submitter
10 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

In case of a delay or failure to deploy the vault, user's funds are stuck inside the Steaking ctr

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.