Lack of max value for `_excessETHDepositCoolDown` in `StaderStakePoolsManager` cn be used to pause the contract indefinitely

[code423n4]

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/9f1fc1217510b4f78e59c0fe854a3c2b64db963a/contracts/StaderStakePoolsManager.sol#L111

Vulnerability details

Summary

The code for updating the ETH deposit cooldown in the pools manager has no upper bound, which allows the manager role to use it for denying access to depositETHOverTargetWeight.

Impact

The depositETHOverTargetWeight function is a permissionless function to assign excess ETH supply to a pool. If this function is blocked, there's no other way for users to perform such oepration, leaving the users without the ability to assign the exceeded ETH supply.

Tools Used

Manual review

Recommended Mitigation Steps

• Set a maximum cooldown value at your discretion. Current default value is 10 days but 30 days could be recommended as a maximum value

Assessed type

DoS

[c4-judge]

Picodes changed the severity to QA (Quality Assurance)