Omniscia Avant Protocol Audit
StakedAvUSDV2 Manual Review Findings
StakedAvUSDV2 Manual Review Findings
SAS-01M: Inexistent Validation of Non-Zero Amount
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | StakedAvUSDV2.sol:L83 |
Description:
The StakedAvUSDV2::unstake function will not ensure that the user has a non-zero underlyingAmount, permitting a zero-value withdrawal to be performed.
Impact:
While the zero-value withdrawals will be processed and result in a zero value transfer to the receiver, they do not actually permit any value to be extracted rendering this submission to be of informational severity.
Example:
contracts/StakedAvUSDV2.sol
78/// @notice Claim the staking amount after the cooldown has finished. The address can only retire the full amount of assets.79/// @dev unstake can be called after cooldown have been set to 0, to let accounts to be able to claim remaining assets locked at Silo80/// @param receiver Address to send the assets by the staker81function unstake(address receiver) external {82 UserCooldown storage userCooldown = cooldowns[msg.sender];83 uint256 assets = userCooldown.underlyingAmount;84
85 if (block.timestamp >= userCooldown.cooldownEnd || cooldownDuration == 0) {86 userCooldown.cooldownEnd = 0;87 userCooldown.underlyingAmount = 0;88
89 silo.withdraw(receiver, assets);90 } else {91 revert InvalidCooldown();92 }93}Recommendation:
We advise a non-zero require or if-revert check to be imposed on the assets of the user, disallowing zero-value withdrawals from being performed.
Alleviation:
The code was updated to issue an early return if the amount to be unstaked is 0, alleviating this exhibit.