Anyone Could Prevent Users from Redeeming Their Tokens

[hats-bug-reporter[bot]]

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x29c81863c2d782c4373e7f4dac5a9de857ddd4d97d87afe2878f3d74849cdeff Severity: high

Description: Description After the send_batch_unlock_requests function is called, users must wait for a Cooldown Period before they can redeem their funds. If there are insufficient funds in the vault, users can call withdraw and then redeem. However, anyone can call compound before withdraw, which will restake the funds, forcing users to wait for another Cooldown Period before they can attempt to redeem their funds again.

Impact Anyone can prevent users from redeeming their tokens, effectively locking the funds in the contract indefinitely by continuously restaking the funds before users can withdraw.

Scenario

1. A user calls send_batch_unlock_requests.
2. After the cooldown period, before the user can call withdraw, an attacker calls compound.
3. The funds are restaked, and the user must wait for another cooldown period.
4. This process can be repeated, preventing the user from ever redeeming their funds.

[0xmahdirostami]

Note: this compound doesn't gain any value for victim users because their value_at_redemption is already calculated. If no one wants to unstake, their funds will be permanently frozen.

Scenario which attacker gains:

1. attacker stakes 10 AZERO
2. victim stakes 10 AZERO
3. victim requests to unstake and send batch
4. attacker compound after cooldown period and get more funds.
5. victim should wait until new user(new victim) stakes and request unstake
6. attacker could repeat it with a new user

[aktech297]

I don't see any issue, as per design, user funds transferred after 48 hours window period.

Again , it would be nice if you can share the code links to get clear view of the function calls.

[bgibers]

Invalid due to a couple issues:

• Someone can call compound all they want before someone withdraws, the funds will still be on the nomination pool until redeem_with_withdraw is called
• When calling compound, claim_payout only claims rewards, the unbonded request is still on the pool itself
• redeem_with_withdraw once called transfers all funds the the vault directly from the nomination pool