Closed c4-bot-3 closed 5 months ago
Overinflated severity. Also falls into the Known Risks "Incorrect configuration being set or admin privileged functions causing invalid configuration", given that an admin would have to set a different configuration than the referred in the docs.
@howlbot reject
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Withdraw/WithdrawQueue.sol#L78 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Withdraw/WithdrawQueue.sol#L287
Vulnerability details
Summary
According to Documentation:
Vulnerability stems from the current implementation of the
initialize()
function which does not enforce the documented requirement that the unstaking or claim cooldown period (coolDownPeriod
) must be at least7 days
.Proof of Concept
The initialization check for
_coolDownPeriod
only ensures that it is not set tozero
.}
claim()
to complete the unstaking.Breakdown
In the claim() function, the
coolDownPeriod
is checked to ensure that the user can only claim their funds after thecoolDownPeriod
has elapsed since their_withdrawRequest
.The
claim()
function retrieves the user's_withdrawRequest
and checks the current timestamp against thecreatedAt
timestamp of the_withdrawRequest
. If the difference is less thancoolDownPeriod
, the transaction is reverted withEarlyClaim()
, preventing the user from claiming their funds too early.However, if the
coolDownPeriod
was initially set to less than7 days
during the contract's initialization, users could claim their funds before the intended7-day
minimum, exploiting the insufficient validation.Impact
Users can withdraw and claim funds earlier than the intended
7-day
cooldown, violating the staking policy.Tools Used
Manual Review
Recommended Mitigation Steps
Enforce a minimum
7-day cooldown period
in theinitialize()
function.This additional check ensures that
_coolDownPeriod
is at least7 days
, and if not, it reverts.Assessed type
Invalid Validation