Evert0x
commented
2 years ago Dispute, there is no check for ARB_RESTAKE_PERIOD in periods in arbRestake function
Closed code423n4 closed 2 years ago
Evert0x
commented
2 years ago Dispute, there is no check for ARB_RESTAKE_PERIOD in periods in arbRestake function
Handle
pedroais
Vulnerability details
Impact
If the period is disabled arbitraging unstacked funds would be impossible which would destroy the protocol.
Proof of Concept
When the lockup period ends users have to restake or withdraw their funds to avoid being arbitraged. The arbRestake retake the position for a 12 weeks period.
https://github.com/code-423n4/2022-01-sherlock/blob/c763f10c4b5fe2127677d6c25b83adcf3bcec212/contracts/Sherlock.sol#L677
All staking periods can be enabled and disabled by admins.
If this period is disabled then arbitraging would revert and users could keep their funds and earn the APY with 0 risks (effectively stealing from the protocol).
I consider this medium risk since it's a critical issue but unlikely to happen since only admins can disable periods.
Recommended Mitigation Steps
Check that period != 12 weeks in the disable period function in Sherlock.sol