Stake able to plunder the treasury

[Dead-m0r0z]

Describe the bug An error in the smart contract, leading to incorrect accrual of tokens to the balance..

To Reproduce Steps to reproduce the behaviour:

1. Go to ' https://gala.pstake.finance/'
2. Click on 'UNWRAP'
3. Click "refresh page" in browser
4. Go to the Keplr wallet and see that instead of the specified amount, we received x2 (unwrap 5 pAtom> crediting 10 Atom
5. Sometimes a similar operation can be performed in the opposite direction (wrap 5 Atom> we get 10 pAtom
6. As far as I understand, this is due to the freezing of the transaction. And the re-transaction is done with faucet.

Expected behaviour Thus, thanks to this bug, by doing wrap and unwrap, the user can increase his balance indefinitely

Desktop (please complete the following information):

• OS: [Windows 10]
• Browser [Google chrome]
• Version [91.0.4472.124]

Additional context Also, while participating in the pSTAKE Staking Gala, the following problems were noticed: 1.incorrect display of the values ​​of the Total Unbonding Tokens line

2. Hanging of the site and error of all the leftovers on the site when closing the warning message “This is a test version of pSTAKE. Move only test ATOM and test ETH (ropsten) to get test Pegged ATOM (pATOM) and test Staked ATOM (stkATOM). '
3. Errors when performing the actions 'declare now' and 'deliver'. At first, these operations are performed, and I can see it, but after a while the bet is canceled.

Ethereum address 0xD9E780c02C838C39e71A930e21F552287eA06Bc9

Criticality Assessment Please pick one:

• [+] High: An issue that might cause immediate loss of the funds or permanent/severe damage of the protocol state
• [ ] Medium: An issue that might theoretically cause minimal loss of funds damage the protocol state or cause severe user dissatisfaction
• [ ] Low: An issue that might cause user dissatisfaction or minimal failure of the application

Checklist

• [+] The reported issue is in the scope of the pStake BugBounty program.
• [+] This issue has not been reported before.
• [+] The ethereum address filled in is valid.

[kombos]

hi, this issue was identified and corrected in the Alpha environment where the bug-bounty applies. but to re-confirm, can you provide the comos address that you were using for these transactions?

[Dead-m0r0z]

cosmos1lkg4q95nyemae0gkvk4lea78trnurcckqm7plg This error worked for GALA

[Dead-m0r0z]

I wrote on Discord that I don't fully understand why my increased staking results were not taken into account when awarding the winners. After all, I did not violate the rules of the competition, since technically I did not translate pAtom from a third-party address, but increased their number due to a bug. In addition, I reported an error that was relevant at that time and could lead to big problems when starting the main network. For many weeks I was confident that I would receive at least some kind of reward for my efforts... (((