First Flight #22: Steaking
First Flight #22
Beginner FriendlyFoundryDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Risk of blocked funds if it is not possible set the vault address.

ivanonchain

Description

Steaking contract only allow to withdraw funds before staking period ends, after it the only way to get the funds back is through the vaults. However if for any reason the owner is unable to set the vaults address, funds will be blocked for ever,

Impact

If the owner(s) dies, loses the key to sign transactions, or for some reason is unable to establish the vault address, users will lose access to their funds.

Proof of Concepts

Steaking::unstake function has a requirement that stablish that only is possible unstake before staking period ends.

@external
def unstake(_amount: uint256, _to: address):
"""
@notice Allows users to unstake their staked ETH before the staking period ends. Users
can adjust their staking amounts to their liking.
@param _amount The amount of staked ETH to withdraw.
@param _to The address to send the withdrawn ETH to.
"""
@> assert not self._hasStakingPeriodEnded(), STEAK__STAKING_PERIOD_ENDED
assert _to != ADDRESS_ZERO, STEAK__ADDRESS_ZERO
stakedAmount: uint256 = self.usersToStakes[msg.sender]
assert stakedAmount > 0 and _amount > 0, STEAK__AMOUNT_ZERO
assert _amount <= stakedAmount, STEAK__INSUFFICIENT_STAKE_AMOUNT
self.usersToStakes[msg.sender] -= _amount
self.totalAmountStaked -= _amount
send(_to, _amount)
log Unstaked(msg.sender, _amount, _to)

Steaking::depositIntoVault function only allows to deposit if the vaults address is set previously.

@external
def depositIntoVault() -> uint256:
"""
@notice Allows users who have staked ETH during the staking period to deposit their ETH
into the WETH Steak vault.
@dev Before depositing into the vault, the raw ETH is converted into WETH.
@return The amount of shares received from the WETH Steak vault.
"""
@> assert self._hasStakingPeriodEndedAndVaultAddressSet(), STEAK__STAKING_PERIOD_NOT_ENDED_OR_VAULT_ADDRESS_NOT_SET
stakedAmount: uint256 = self.usersToStakes[msg.sender]
assert stakedAmount > 0, STEAK__AMOUNT_ZERO
extcall IWETH(WETH).deposit(value=stakedAmount)
extcall IWETH(WETH).approve(self.vault, stakedAmount)
sharesReceived: uint256 = extcall IWETHSteakVault(self.vault).deposit(stakedAmount, msg.sender)
log DepositedIntoVault(msg.sender, stakedAmount, sharesReceived)
return sharesReceived

Recommended mitigation

It is recommended to add a condition in the staking function that allows users to unstake their funds if the vault address is not set within a certain period after the staking period has ended.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

In case of a delay or failure to deploy the vault, user's funds are stuck inside the Steaking ctr

Appeal created

ivanonchain Submitter
10 months ago
inallhonesty Lead Judge
10 months ago
ivanonchain Submitter
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

In case of a delay or failure to deploy the vault, user's funds are stuck inside the Steaking ctr

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.