Omniscia Kanpeki Finance Audit
StakingManager Manual Review Findings
StakingManager Manual Review Findings
SMR-01M: Circumvention of Expected Amount Penalization
Type | Severity | Location |
---|---|---|
Logical Fault | Major | StakingManager.sol:L189, L259, L341, L371 |
Description:
The unstaking mechanism of the system imposes at most a 12 minute cooldown since the last action that was performed on the stake, thus allowing users to circumvent increaseBorrowerExpectedStake
and increaseDepositorExpectedStake
adjustments by simply withdrawing and re-staking their tokens.
Example:
contracts/managers/StakingManager.sol
288function _unstake (bytes32 stakeType) private289{290 require(_isStaking(msg.sender, stakeType), "!staking");291
292
293 Stake memory stake = _stake[msg.sender][stakeType];294
295 require(stake.unstakableTimestamp > 0 && block.timestamp > stake.unstakableTimestamp, "using");296
297 _stake[msg.sender][stakeType].amount = 0;298 _stake[msg.sender][stakeType].expected = 0;299 _stake[msg.sender][stakeType].unstakableTimestamp = 0;300
301
302 IERC20(_KAE).safeTransfer(msg.sender, stake.amount);303
304
305 emit Unstake(msg.sender, stakeType, stake.amount);306}
Recommendation:
We advise this trait of the staking mechanism to be carefully evaluated as the overly-complex action tracking system adjusting the expected
amount a stake should satisfy to acquire discounts can be completely nullified by unstaking and restaking within the system.
Alleviation:
The unstaking time threshold was increased to 60 days which prevent this attack vector from manifesting.