search

sherlock-audit / 2024-07-kwenta-staking-contracts-judging

1 stars 0 forks source link

Itchy Scarlet Ladybug - Users cannot exit all staked tokens through the exit function #177

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

Itchy Scarlet Ladybug

Low/Info

Users cannot exit all staked tokens through the exit function

Summary

The incorrect parameters passed in when calling the unstakefunction inside the exit function of StakingRewardsV2.sol will cause the user to be unable to exit all staked tokens through the exitfunction.

Root Cause

https://github.com/sherlock-audit/2024-07-kwenta-staking-contracts/blob/main/token/contracts/StakingRewardsV2.sol#L335-L338

In StakingRewardsV2.sol:336 the use of nonEscrowedBalanceOf(msg.sender) as a parameter for the unstakefunction is incorrect because the amount staked is stored in BalanceOf(msg.sender).

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. The user first stakes through the stakeEscrow function, assuming the staked amount is 100*10**18.
  2. The user stakes again through the stake function, assuming the staked amount is 50*10**18.
  3. Then after the cooldownPeriod time, the exitfunction is called to withdraw all tokens.

Impact

When the exitfunction is called, it will revert because the nonEscrowedBalanceOffunction throws an exception. Users cannot unstake through the exitfunction.

PoC

No response

Mitigation

The exitfunction is recommended to be implemented as follows:

function exit() external {
    unstake(balanceOf(msg.sender));
    unstake(escrowedBalanceOf(msg.sender));
    _getReward(msg.sender);
}