totalUnstakeFine can't be taken away

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-07-benddao/blob/117ef61967d4b318fc65170061c9577e674fffa1/src/yield/YieldStakingBase.sol#L71

Vulnerability details

Vulnerability details

in YieldStakingBase.sol

botAdmin can perform unstake(unstakeFine) for forced liquidation In this case, the user pays unstakeFine and is credited with totalUnstakeFine.

  function _unstake(uint32 poolId, address nft, uint256 tokenId, uint256 unstakeFine) internal virtual {
...
    if (msg.sender == botAdmin) {
      require(unstakeFine <= nc.maxUnstakeFine, Errors.YIELD_ETH_EXCEED_MAX_FINE);

      uint256 hf = calculateHealthFactor(nft, nc, sd);
      require(hf < nc.unstakeHeathFactor, Errors.YIELD_ETH_HEATH_FACTOR_TOO_HIGH);

      sd.unstakeFine = unstakeFine;
@>    totalUnstakeFine += unstakeFine;
    }

  function _repay(uint32 poolId, address nft, uint256 tokenId) internal virtual {
...
    vars.nftDebt = _getNftDebtInUnderlyingAsset(sd);
@>  vars.nftDebtWithFine = vars.nftDebt + sd.unstakeFine;

    // compute repay value
    if (vars.claimedYield >= vars.nftDebtWithFine) {
      vars.remainAmount = vars.claimedYield - vars.nftDebtWithFine;
    } else {
      vars.extraAmount = vars.nftDebtWithFine - vars.claimedYield;
    }

    // transfer eth from sender
    if (vars.extraAmount > 0) {
      underlyingAsset.safeTransferFrom(vars.nftOwner, address(this), vars.extraAmount);
    }

But the contract doesn't provide a way to take away the totalUnstakeFine. So this part of the token will be left in the contract

Impact

The totalUnstakeFine token will be locked in the contract.

Recommended Mitigation

Add a way to take away the totalUnstakeFine.

Assessed type

Context

[c4-judge]

MarioPoneder marked the issue as duplicate of #10

[c4-judge]

MarioPoneder changed the severity to 2 (Med Risk)

[c4-judge]

MarioPoneder marked the issue as satisfactory