Open hats-bug-reporter[bot] opened 1 month ago
typo correction, the steps when unlock and cancel should be sAZERO not AZERO
When Alice requests unlock of id 0, the id 1 will get id 0. So after new request the new request will get id 1, and the original withdraw request is still there.
You should write a test case that supports this, because it does not seem to be correct.
Agree. after cancel or redeem, id is adjusted. so its not a fixed id. This submission is invalid.
Thanks for your submission, just like issue #2, unlock_id isn’t a saved variable on UnlockRequest
it is simply a pointer to the position of the array.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xfbb52a184310cd102f6aa14e15bd458f652dad42f20a821cce7a2f29c8789a77 Severity: high
Description: Description
User if want to unlock their stake, can call
request_unlock
. This function will insert pending request for unlock for the user. Each request have their ownunlock_id
. Thisunlock_id
is generated fromlet unlock_id=(user_unlock_requests.len()-1) as u128;
, line 282The issue here is, this
unlock_id
open for duplication.Consider this case:
request_unlock
, which it will get theunlock_id
= 0unlock_id
= 1, anduser_unlock_requests
length = 2cancel_unlock_request
of the 20 AZERO, which isunlock_id
0, nowuser_ulock_requests
length is 1request_unlock
70 AZERO (since there is still request unlock 30 AZERO), then she will get the sameunlock_id
, which is 1.user_unlock_requests
Finally when Redeem, Alice will use the duplicate
unlock_id
get only the 70 AZERO, while the 30 AZERO is overwritednote that, she already transfer her shares sAZERO to contract on line 254
The issue arise due to potential duplicate of
unlock_id
because ofuser_ulock_requests
can be decreased due to cancelation, and then after being overwritted whenredeeming
using thisunlock_id
user can lost their asset.Attack Scenario
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Recommendation
Replace the generation of
unlock_id
implementation. Or maybe when canceling, keep the user_unlock_requests index, just empty the values.