The migration add a resetStakes() function which can be only called by governance. The idea is that the stRSR is also the votes of the governance. So stakers can mostly withdraw, and since governance thresholds are all percentage, vote to immolate themselves and re-start the staking pool.
The function permission check is correct for requireGovernanceOnly(), and the stakeRate is also checked correctly:
Lines of code
Vulnerability details
Comments
According to the sponsor comments under the issue https://github.com/code-423n4/2023-06-reserve-findings/issues/2 , there is not a perfect idea to avoid this issue completely without significant code changes.
The migration add a
resetStakes()
function which can be only called by governance. The idea is that the stRSR is also the votes of the governance. So stakers can mostly withdraw, and since governance thresholds are all percentage, vote to immolate themselves and re-start the staking pool.The function permission check is correct for
requireGovernanceOnly()
, and the stakeRate is also checked correctly: