Open code423n4 opened 2 years ago
Yes, the fee on instant Unstake needs to be set high enough to make this not profitable.
If a curve pool exists, then this does become possible to arb the rebase and something that should be fixed, potentially with not allowing the warm up period to be violated for instant unstaking (through curve at the very least).
I would qualify this as Medium severity, and leaking value.
2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
I took another look, medium seems reasonable too.
Lines of code
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L406
Vulnerability details
Issue: there is a huge arb opportunity for people who deposit 1 block before the
rebase()
Consequences: then they can call
instantUnstakeReserve
orinstantUnstakeCurve
to unstake the staked amount, in this way the profit that needs to be distributed on the next rebase increases, he also messes up the rewards for the other holders as theinstantUnstakeReserve
does not burn theYIELD_TOKEN
. Even if there is a fee on theinstantUnstakeReserve
, there is still a chance for profit.Affected Code
Mitigations
Burn the
YIELD_TOKEN
amount in theinstantUnstakeReserve