StakingManager Manual Review Findings

SMR-01M: Circumvention of Expected Amount Penalization

Description:

The unstaking mechanism of the system imposes at most a 12 minute cooldown since the last action that was performed on the stake, thus allowing users to circumvent increaseBorrowerExpectedStake and increaseDepositorExpectedStake adjustments by simply withdrawing and re-staking their tokens.

Example:

Copy
288function _unstake (bytes32 stakeType) private
289{
290  require(_isStaking(msg.sender, stakeType), "!staking");
291
292
293  Stake memory stake = _stake[msg.sender][stakeType];
294
295  require(stake.unstakableTimestamp > 0 && block.timestamp > stake.unstakableTimestamp, "using");
296
297  _stake[msg.sender][stakeType].amount = 0;
298  _stake[msg.sender][stakeType].expected = 0;
299  _stake[msg.sender][stakeType].unstakableTimestamp = 0;
300
301
302  IERC20(_KAE).safeTransfer(msg.sender, stake.amount);
303
304
305  emit Unstake(msg.sender, stakeType, stake.amount);
306}

Recommendation:

We advise this trait of the staking mechanism to be carefully evaluated as the overly-complex action tracking system adjusting the expected amount a stake should satisfy to acquire discounts can be completely nullified by unstaking and restaking within the system.

Alleviation:

The unstaking time threshold was increased to 60 days which prevent this attack vector from manifesting.