search

code-423n4 / 2024-07-karak-findings

0 stars 0 forks source link

MIN_STAKE_UPDATE_DELAY for staking a vault may disincentivize users to stake #79

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/main/src/interfaces/Constants.sol#L15

Vulnerability details

Impact

In the current implementation of the Core functionality, there is MIN_STAKE_UPDATE_DELAY parameter that is used to verify whether 9 days has passed since the vault stake update has been requested. In the case of unstaking it's done to make sure that the user is not able to front-run slashing. However, for the initial stake such huge amount of wait time seems extremely unreasonable and may disincentivize some users.

Proof of Concept

There is the following MIN_STAKE_UPDATE_DELAY parameter that is equal to 9 days:

https://github.com/code-423n4/2024-07-karak/blob/main/src/interfaces/Constants.sol#L15

uint256 public constant MIN_STAKE_UPDATE_DELAY = SLASHING_WINDOW + SLASHING_VETO_WINDOW;

For staking reasons it's not reasonable to have such a huge amount of time because there are no any risks around front-running. However, there can be a case when DSS does not validate an operator right away in registerOperatorToDSS() but does this in validateAndUpdateVaultStakeInDSS() after some time. The problem is that in the first function it does not ignore failure meaning DSS has an ability to block registration of operator but in the second function it cannot do so and it's just formal. Therefore, there is no any reason for such delay and it can significantly impact user experience and prevent from using it as it's needed to wait for 9 days to stake and 9 days to unstake a single vault.

Tools Used

Manual review.

Recommended Mitigation Steps

Reduce update delay for staking operation as there are not any risks of front-running.

Assessed type

Other

c4-judge commented 2 months ago

MiloTruck marked the issue as unsatisfactory: Out of scope

c4-judge commented 2 months ago

MiloTruck removed the grade

c4-judge commented 2 months ago

MiloTruck marked the issue as not a duplicate

c4-judge commented 2 months ago

MiloTruck marked the issue as unsatisfactory: Invalid

MiloTruck commented 2 months ago

Invalid.

This is a design suggestion and not a bug. The warden has not demonstrated how MIN_STAKE_UPDATE_DELAY can have a significant impact on the protocol or its users.