Summary

The unstake function uses the send method to transfer ETH, which may fail if the recipient address is a contract that does not accept ETH transfers.

Vulnerability Details

In the unstake function :

The send method attempts to transfer ETH to the address specified by _to. In Vyper, if the recipient address is a contract, and this contract does not include a __default__(_name: type) external payable function to handle incoming ETH (which is invoked when ETH is sent to the contract), the transfer will fail. Contracts that do not have this function will not be able to accept ETH, leading to a failed transaction when using send.

Impact

If the recipient address is a contract without a proper __default__ function or equivalent to accept ETH, the transaction will fail. This can result in the failure of unstaking operations and potential loss of ETH, as the transfer cannot be completed.

Tools Used

Manual Code Review

Recommendations

To ensure reliable ETH transfers in the unstake function, first, implement a check to verify if the recipient address is a contract and ensure that it can handle ETH transfers. Before executing the transfer, capture the contract's ETH balance, and then perform the transfer. Afterward, verify that the contract's balance has decreased by the exact amount transferred. This process helps confirm that the transfer was successful and that the recipient can handle ETH, reducing the risk of failed transactions or lost funds.