Post-staking withdrawal restriction in Steaking contract limits user flexibility
Summary
The Steaking contract contains a vulnerability that restricts users from withdrawing their staked ETH after the staking period ends, which contradicts the intended protocol behavior of allowing optional withdrawals or conversions to WETH for vault deposits.
Vulnerability Details
The unstake function prevents users from withdrawing their ETH once the staking period concludes, locking their funds and forcing them to convert to WETH for deposit into the vault. This creates an unintended user experience and reduces flexibility.
Impact
Users are unable to access their staked ETH after the staking period unless they choose to convert it into WETH and deposit it into the vault, which will deter participation and undermine the protocol’s liquidity bootstrapping goals.
Tools Used
Manual Review
Recommendations
Modify the unstake function to allow users to withdraw their ETH after the staking period ends, providing an option to either withdraw or deposit into the WETH vault.
Lead Judging Commences
In case of a delay or failure to deploy the vault, user's funds are stuck inside the Steaking ctr
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.