Open hats-bug-reporter[bot] opened 1 month ago
Note that this issues is different from #13 If #13 is fixed, this would still be present
Thank you for your submission. The minimum stake requirement is not meant to force users to have more than that; it's meant for bonding more than that, and it works as intended.
Thank you for your submission. The minimum stake requirement is not meant to force users to have more than that; it's meant for bonding more than that, and it works as intended.
This is correct. Azero requires a bonding amount > 10
Github username: @NicolaMirchev Twitter username: nmirchev8 Submission hash (on-chain): 0xb7022f6f20f0d14c641eca78bb20dfac6e440ba0eadbc62ddbbffd5504f57f57 Severity: medium
Description: Description\ There is a
minimum_stake
requirement while stakingAZERO
, which is enforced inside stake function. But a user can easily bypass it and leave dust stakes for himself if he first stake withminimum_stake
and then redeem some amount. The following issue violates an invariant that a user stake must always be >= minimum_stake.Attack Scenario\
The minimum stake amount is 1000
AZERO
tokens, but Bob want to open a 500AZERO
position.He calls
stake
with amount of 1000Then he calls request_unlock, as this is the entry point for user to unstake.
When the period has passed, he calls redeem and he withdraws his 500
AZERO
+ interest and he is left with a stake of 500, which is below themin_stake_amount
AttachmentsProof of Concept (PoC) File Having in mind the issue is pretty straightforward, I leave it without PoC. Open to providing one if it is necessary.
Revised Code File (Optional) Inside
redeem
, orrequest_unlock
check if user have a balance of shares above minimum.