Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 124/246
Findings: 2
Award: $24.26
🌟 Selected for report: 0
🚀 Solo Findings: 0
11.1318 USDC - $11.13
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L63-L101
A staker will lose his Eth funds into SafEth contract permanently without any chance to unstake them
After SafEth gets deployed, the admin still has to add the derivatives by addDerivative. in this case any user as staker might try and call stake() function before that which will cause a loss of his funds in SafEth contract.
if someone use stake() function before any derivative added, it will pass successfully, and the staker receives 0 share and still losing his funds.
So it goes like this: a staker would call stake function and his Eth amount goes to SafEth contract without having any of SafEth ERC20 token in return. According to that he will not be able to unstake later on because he doesn't have SafEth tokens to burn.
<br/>Manual Review <br/>
Add this check on the stake() function in the beginning:
require(derivativeCount > 0, "No derivative is added");
#0 - c4-pre-sort
2023-04-02T13:31:34Z
0xSorryNotSorry marked the issue as low quality report
#1 - c4-pre-sort
2023-04-04T19:18:10Z
0xSorryNotSorry marked the issue as duplicate of #363
#2 - c4-judge
2023-04-21T16:29:57Z
Picodes marked the issue as satisfactory