When unstaking, length of unstaking increasing. It may cause overflow

Summary

_unstake() function push always Unstaking(coolDownEnd, effectiveAmount). It is increasing index of array always. after transferUnstakedOut and then amount is 0, need to replace this one because it's not necessary.

Vulnerability Detail

_unstake() pushing new Unstaking(coolDownEnd, effectiveAmount) and return unstakingId.

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L534-L535

Imagine there are lots of transferUnstakedOut() all amount, so amount = 0 and coolDownEnd = 0, it's useless anymore.

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L569C32-L569C43

Impact

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L534-L535

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L569C32-L569C43

Tool used

Manual Review

Recommendation

When push new unstaking, need to check empty unstaking item and replace it and return id

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 8 months ago

Invalid, seemingly duplicate of #64, but lacks detailed impact description

sherlock-audit / 2023-11-covalent-judging

yujin718 - When unstaking, length of unstaking increasing. It may cause overflow #27