Judge @GalloDaSballo has assessed the 2nd item in QA Report #163 as Medium risk. The relevant finding follows:
…
Users' funds can become locked in the contract
In the withdraw function in ConvexStakingWrapper there's a call to MasterChef's withdraw funciton which uses the safeConcurTransfer function in the MasterChef contract. This function won't fail if the balance is insufficient, but it will transfer the balance and not the wanted amount. But the withdraw function in ConvexStakingWrapper will substract the user's deposit amount by the given amount, without taking in account the actual amount the user got. This can lead to users that won't be able to get their full deposits and will lead to locked funds in the MasterChef contract. This is also correct for the StakingRewards contract which also uses MasterChef's withdraw funciton.
CloudEllie
commented
2 years ago
Judge @GalloDaSballo has assessed the 2nd item in QA Report #163 as Medium risk. The relevant finding follows:
…
Users' funds can become locked in the contract
In the
withdrawfunction inConvexStakingWrapperthere's a call toMasterChef'swithdrawfunciton which uses thesafeConcurTransferfunction in the MasterChef contract. This function won't fail if the balance is insufficient, but it will transfer the balance and not the wanted amount. But thewithdrawfunction inConvexStakingWrapperwill substract the user's deposit amount by the given amount, without taking in account the actual amount the user got. This can lead to users that won't be able to get their full deposits and will lead to locked funds in the MasterChef contract. This is also correct for theStakingRewardscontract which also usesMasterChef'swithdrawfunciton.