Open hats-bug-reporter[bot] opened 11 months ago
Invalid.
As you can see in the following section, forceUnstakeAll() considers the scenario where the portalEnergy balance is higher than maxStakeDebt, hence not setting portalEnergy to zero.
/// @dev Update the user's stake info
accounts[msg.sender].stakedBalance = 0;
accounts[msg.sender].maxStakeDebt = 0;
portalEnergy = accounts[msg.sender].portalEnergy -= (balance * maxLockDuration) / SECONDS_PER_YEAR;
accounts[msg.sender].availableToWithdraw = 0;
The user will maintain Portal Energy as internal balance if he has a surplus after unstaking. This surplus balance can be sold into the internal LP or minted as ERC20 token, hence is fully available by the user even after unstaking.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x7f7b4d7433c296008670e9150291f5bea0cf93f38bdfab335460f451079d0c67 Severity: high
Description: Description\ Users who have acquired more portalEnergy than maxStakeDebt by specifically purchasing portalEnergy stand to lose their excess portalEnergy tokens if they call ForceUnstakeAll. This is because ForceUnstakeAll does not take into account a situation where portalEnergy is more than their maxStakeDebt.
Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments
Proof of Concept (PoC) File
if(portalEnergy > accounts[msg.sender].maxStakeDebt) {
}