Users cannot exit all staked tokens through the exit function
Summary
The incorrect parameters passed in when calling the unstakefunction inside the exit function of StakingRewardsV2.sol will cause the user to be unable to exit all staked tokens through the exitfunction.
In StakingRewardsV2.sol:336 the use of nonEscrowedBalanceOf(msg.sender) as a parameter for the unstakefunction is incorrect because the amount staked is stored in BalanceOf(msg.sender).
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
The user first stakes through the stakeEscrow function, assuming the staked amount is 100*10**18.
The user stakes again through the stake function, assuming the staked amount is 50*10**18.
Then after the cooldownPeriod time, the exitfunction is called to withdraw all tokens.
Impact
When the exitfunction is called, it will revert because the nonEscrowedBalanceOffunction throws an exception. Users cannot unstake through the exitfunction.
PoC
No response
Mitigation
The exitfunction is recommended to be implemented as follows:
function exit() external {
unstake(balanceOf(msg.sender));
unstake(escrowedBalanceOf(msg.sender));
_getReward(msg.sender);
}
Itchy Scarlet Ladybug
Low/Info
Users cannot exit all staked tokens through the exit function
Summary
The incorrect parameters passed in when calling the
unstake
function inside theexit
function ofStakingRewardsV2.sol
will cause the user to be unable to exit all staked tokens through theexit
function.Root Cause
https://github.com/sherlock-audit/2024-07-kwenta-staking-contracts/blob/main/token/contracts/StakingRewardsV2.sol#L335-L338
In
StakingRewardsV2.sol:336
the use ofnonEscrowedBalanceOf(msg.sender)
as a parameter for theunstake
function is incorrect because the amount staked is stored inBalanceOf(msg.sender)
.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
stakeEscrow
function, assuming the staked amount is100*10**18
.stake
function, assuming the staked amount is50*10**18
.cooldownPeriod
time, theexit
function is called to withdraw all tokens.Impact
When the
exit
function is called, it will revert because thenonEscrowedBalanceOf
function throws an exception. Users cannot unstake through theexit
function.PoC
No response
Mitigation
The
exit
function is recommended to be implemented as follows: