Closed howlbot-integration[bot] closed 2 months ago
MiloTruck marked the issue as unsatisfactory: Out of scope
MiloTruck removed the grade
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as unsatisfactory: Invalid
Invalid.
This is a design suggestion and not a bug. The warden has not demonstrated how MIN_STAKE_UPDATE_DELAY
can have a significant impact on the protocol or its users.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/interfaces/Constants.sol#L15
Vulnerability details
Impact
In the current implementation of the
Core
functionality, there isMIN_STAKE_UPDATE_DELAY
parameter that is used to verify whether 9 days has passed since the vault stake update has been requested. In the case of unstaking it's done to make sure that the user is not able to front-run slashing. However, for the initial stake such huge amount of wait time seems extremely unreasonable and may disincentivize some users.Proof of Concept
There is the following
MIN_STAKE_UPDATE_DELAY
parameter that is equal to 9 days:https://github.com/code-423n4/2024-07-karak/blob/main/src/interfaces/Constants.sol#L15
For staking reasons it's not reasonable to have such a huge amount of time because there are no any risks around front-running. However, there can be a case when DSS does not validate an operator right away in
registerOperatorToDSS()
but does this invalidateAndUpdateVaultStakeInDSS()
after some time. The problem is that in the first function it does not ignore failure meaning DSS has an ability to block registration of operator but in the second function it cannot do so and it's just formal. Therefore, there is no any reason for such delay and it can significantly impact user experience and prevent from using it as it's needed to wait for 9 days to stake and 9 days to unstake a single vault.Tools Used
Manual review.
Recommended Mitigation Steps
Reduce update delay for staking operation as there are not any risks of front-running.
Assessed type
Other