Closed sherlock-admin4 closed 4 months ago
The protocol is designed to automatically re-lock a position when it is expired, and that's why early exits of expired positions are forced to be re-locked for defaultRelockTime. This is the intended design of the protocol, and that's why this issue is invalid.
Escalate The intended design is that if stakers exit early ,they will be penalised ,but if they wait for the the lock Period ,the tokens will be relocked for the defaultRelockPeriod.So the issue ,if the staker wants to liquidate his token just on time ,he just can't do it on time ,without getting penalised ,its similar to the M-2 issue mentioned in the audit report ,why it is invalid.
Escalate The intended design is that if stakers exit early ,they will be penalised ,but if they wait for the the lock Period ,the tokens will be relocked for the defaultRelockPeriod.So the issue ,if the staker wants to liquidate his token just on time ,he just can't do it on time ,without getting penalised ,its similar to the M-2 issue mentioned in the audit report ,why it is invalid.
The escalation could not be created because you are not exceeding the escalation threshold.
You can view the required number of additional valid issues/judging contest payouts in your Profile page, in the Sherlock webapp.
DIV
high
[H-1] Problem with Automatic Restaking in Smart Contract
Summary
The smart contract in question allows a user to exit early through
earlyExitById
with a penalty or exit late throughexitLateById
without a penalty. However, there is a potential issue that token are automatically restaked after thelockPeriod
for the time that is minimum ofdefaultRelockTime
andLockPeriod
. So, if a user wish to withdraw his token throughexitLateById
they has to wait for the new duration .Vulnerability Detail
The vulnerability lies in the late exit mechanism of the contract. If a user does not withdraw their tokens within the
lockPeriod
, the contract automatically restakes the tokens for the duration which is minimum of original lock period and default relock time. This automatic restaking could potentially lock the user's tokens for an unintended period of time. Also, the user cannot chooseearlyExitById
as this option will result in potential loss of their staking token.Impact
The impact of this vulnerability is significant. Users who intend to withdraw their tokens after the staking period may find their tokens locked for an additional period. This could affect their liquidity and could potentially lead to loss of investment opportunities.
Code Snippet
Tool used
Manual Review
Recommendation
It is recommended to add a mechanism that allows users to withdraw their tokens on time in the late exit scenario. One possible solution could be to add a function that allows users to set a withdrawal time. This would give users more control over their tokens and prevent unintended restaking.