Users can bypass `minimum_stake` requirement by staking and the redeeming

[hats-bug-reporter[bot]]

Github username: @NicolaMirchev Twitter username: nmirchev8 Submission hash (on-chain): 0xb7022f6f20f0d14c641eca78bb20dfac6e440ba0eadbc62ddbbffd5504f57f57 Severity: medium

Description: Description\ There is a minimum_stake requirement while staking AZERO, which is enforced inside stake function. But a user can easily bypass it and leave dust stakes for himself if he first stake with minimum_stake and then redeem some amount. The following issue violates an invariant that a user stake must always be >= minimum_stake.

Attack Scenario\

1. The minimum stake amount is 1000 AZERO tokens, but Bob want to open a 500 AZERO position.

2. He calls stake with amount of 1000

3. Then he calls request_unlock, as this is the entry point for user to unstake.

4. When the period has passed, he calls redeem and he withdraws his 500 AZERO + interest and he is left with a stake of 500, which is below the min_stake_amount Attachments

5. Proof of Concept (PoC) File Having in mind the issue is pretty straightforward, I leave it without PoC. Open to providing one if it is necessary.

6. Revised Code File (Optional) Inside redeem, or request_unlock check if user have a balance of shares above minimum.

[NicolaMirchev]

Note that this issues is different from #13 If #13 is fixed, this would still be present

[0xmahdirostami]

Thank you for your submission. The minimum stake requirement is not meant to force users to have more than that; it's meant for bonding more than that, and it works as intended.

[bgibers]

Thank you for your submission. The minimum stake requirement is not meant to force users to have more than that; it's meant for bonding more than that, and it works as intended.

This is correct. Azero requires a bonding amount > 10