Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 146/147
Findings: 1
Award: $4.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xmystery
Also found by: 0x11singh99, 0xAadi, 0xAlix2, 0xG0P1, 0xStalin, 0xWaitress, 0x_Scar, 0xhacksmithh, 0xhunter, 0xpiken, Al-Qa-qa, Arz, Avci, Bauchibred, BeliSesir, Breeje, Bughunter101, DarkTower, Eeyore, Fitro, HChang26, Imlazy0ne, J4X, JCK, Kaysoft, Kral01, Madalad, Mike_Bello90, Noro, PASCAL, PENGUN, Proxy, Rickard, Shubham, SovaSlava, Strausses, Team_Rocket, ThreeSigma, Topmark, Udsen, Walter, Yanchuan, Zach_166, ZanyBonzy, adam-idarrha, adeolu, almurhasan, arjun16, ast3ros, asui, ayden, btk, cartlex_, castle_chain, cccz, chainsnake, codynhat, critical-or-high, cryptonue, csanuragjain, deepkin, degensec, dirk_y, erebus, foxb868, ge6a, hunter_w3b, jasonxiale, kkkmmmsk, lanrebayode77, lsaudit, marchev, matrix_0wl, max10afternoon, nuthan2x, oakcobalt, oxchsyston, pavankv, peanuts, pep7siup, pipidu83, pontifex, ptsanev, qpzm, radev_sw, rokinot, rotcivegaf, rvierdiiev, sorrynotsorry, squeaky_cactus, supersizer0x, tnquanghuy0512, twcctop, twicek, young, zhaojie, ziyou-
4.5226 USDC - $4.52
https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDeV2.sol#L78
In StakedUSDeV2, users will not be able to call unstake(address) to unstake their USDe if the cooldown period is decreased to a length that would have resulted in their assets being cooled down. Instead, they must wait the original cooldown period.
If the cooldownDuration is accidentally set to a large amount, there is no way for this to be corrected. Any users who started a cooldown during this period of a high cooldownDuration will need to wait that duration before unstaking.
This is low severity for two reasons:
cooldownAssets or cooldownShares, depending on if the new value of cooldownDuration + block.timestamp is shorter than the mistaken value of cooldownDurationcooldownDuration is limited to MAX_COOLDOWN_DURATION of 90 daysThe recommendation is to store cooldownStart instead of cooldownEnd in the UserCooldown struct. The cooldown end can than be calculated in unstake based on the current value of cooldownDuration.
block.timestamp >= userCooldown.cooldownStart + cooldownDuration
getUnvestedAmounthttps://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L89-L91
function transferInRewards(uint256 amount) external nonReentrant onlyRole(REWARDER_ROLE) notZero(amount) { if (getUnvestedAmount() > 0) revert StillVesting(); uint256 newVestingAmount = amount + getUnvestedAmount(); ... }
In StakedUSDe.transferInRewards, there is an unnecessary call to getUnvestedAmount() that will always result in 0 due to the conditional on the previous line. The type is an unsigned integer and the function will revert if it is ever greater than zero. Therefore, the value here will always be equal to zero.
#0 - c4-pre-sort
2023-11-02T01:39:52Z
raymondfam marked the issue as sufficient quality report
#1 - c4-judge
2023-11-14T17:09:17Z
fatherGoose1 marked the issue as grade-b