If user stakes again, he will lose all of his rewards
Summary
Currently in VaultRouterBranch users can stake their shares to receive rewards in terms of WETH. If user has some of his shares staked and he decide to stake some more, but there is a reward accumulated, he will lose the reward if he stakes again, before claiming the reward.
Vulnerability Details
Let's have the following scenario:
User A has 100 shares and he decides to stake 50 shares.
After some period, some rewards are accumulated and the user is eligible to claim it.
But he decides to stake the other 50, which will lead in situation where
accumulateActorwill update the state of the actor and accumulated rewards will be lost.User will be not able to claim the rewards for the first 50 tokens, which he staked.
The problem lies that the accumulateActor function will call underlying this function:
The function will set lastValuePerShare to the current one and the user will be not able to claim anymore valueChange.
Impact
User will be not able to claim their rewards and this will lead to lost of reward.
Tools Used
Manual review
Recommendations
Consider implementing similar mechanism to the one in unstake:
Lead Judging Commences
Inside VaultRouterBranch if you stake wait some time then stake again makes you lose the rewards.
Appeal created
Inside VaultRouterBranch if you stake wait some time then stake again makes you lose the rewards.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.