The VaultControllerStrategy::withdraw
attempts to unstake tokens from the Chainlink staking contract without verifying if the contract is inactive, which is a requirement for the unstake operation to succeed.
The unstake() function in the Chainlink contract has a whenInactive
modifier. The current implementation does not check the staking contract's status before attempting to unstake, leading to potential reverts.
VaultControllerStrategy::Withdraw
Checks if the vault can withdraw (deposits exist, claim period active, vault not removed).
Calls vault.withdraw(amount)
to initiate withdrawal.
VaultControllerStrategy::Withdraw
Calls vault.withdraw(amount)
to initiate withdrawal.
vault.withdraw(deposits); goes to Vault contract
unstake()
only works if the contract is inactive (whenInactive modifier).
Transfers unstaked tokens to the caller.
Reverts: If the Chainlink staking contract is active, any attempt to unstake will fail, causing a transaction revert.
Operational Risk: This can disrupt the withdrawal process, impacting the strategy's ability to manage funds effectively.
Manual Review
Implement a check to ensure the Chainlink staking contract is inactive before calling the unstake function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.