lucas-manuel
commented
3 years ago If they have zero cooldown block.timestamp > 0 + globals.stakerCooldownPeriod() + globals.stakerUnstakeWindow() is true, if they have an unstakeCooldown set, it will only be true after their window has passed. This is not a bug.
Handle
paulius.eth
Vulnerability details
Vulnerability details
function isReceiveAllowed has a comment: "This is only possible if they have zero cooldown or they are passed their withdraw window.", however, it does not explicitly check if withdrawCooldown is zero, so theoretically it could still forbid the receives if lpCooldownPeriod or lpWithdrawWindow is set to a very high value. It is only possible if a malicious governor takes over the control which we should assume is very unlikely.
Recommended Mitigation Steps
Explicitly allow if unstakeCooldown == 0.