Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 133/147
Findings: 1
Award: $4.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xmystery
Also found by: 0x11singh99, 0xAadi, 0xAlix2, 0xG0P1, 0xStalin, 0xWaitress, 0x_Scar, 0xhacksmithh, 0xhunter, 0xpiken, Al-Qa-qa, Arz, Avci, Bauchibred, BeliSesir, Breeje, Bughunter101, DarkTower, Eeyore, Fitro, HChang26, Imlazy0ne, J4X, JCK, Kaysoft, Kral01, Madalad, Mike_Bello90, Noro, PASCAL, PENGUN, Proxy, Rickard, Shubham, SovaSlava, Strausses, Team_Rocket, ThreeSigma, Topmark, Udsen, Walter, Yanchuan, Zach_166, ZanyBonzy, adam-idarrha, adeolu, almurhasan, arjun16, ast3ros, asui, ayden, btk, cartlex_, castle_chain, cccz, chainsnake, codynhat, critical-or-high, cryptonue, csanuragjain, deepkin, degensec, dirk_y, erebus, foxb868, ge6a, hunter_w3b, jasonxiale, kkkmmmsk, lanrebayode77, lsaudit, marchev, matrix_0wl, max10afternoon, nuthan2x, oakcobalt, oxchsyston, pavankv, peanuts, pep7siup, pipidu83, pontifex, ptsanev, qpzm, radev_sw, rokinot, rotcivegaf, rvierdiiev, sorrynotsorry, squeaky_cactus, supersizer0x, tnquanghuy0512, twcctop, twicek, young, zhaojie, ziyou-
4.5226 USDC - $4.52
https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDeV2.sol#L82 https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDeV2.sol#L100 https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDeV2.sol#L116
When a user calls cooldownShares or cooldownAssets with a certain amount of shares/assets, his cooldownEnd time for claim with to uint104(block.timestamp) + cooldownDuration. But if he tries to redeem multiple times before claiming, the cooldownEnd will be extended by the last redeem call, this means that the previously unstaked amount (which could be available for claim) is stuck in the contract and unable to claim until some much more time has passed.
Consider the following scenario.
Bob wants to quit partially, so he redeemed 1 share on DAY 0 and has to wait 14 days before the final claim.Bob redeems another 1 share on DAY 13, the cooldownEnd has been extended by another 14 days.Bob calls the unstake function, but the transaction is reverted. He can't get the assets for the 1st redemption attempt which is frustrating and this violates the initial design.In fact, in this scenario, in the worst case, the user has to wait 90 more days which is unacceptable.
Consider another scenario.
Bob wants to quit partially, so he redeemed 1 share on DAY 0 and has to wait 14 days before the final claim.Alice (who has some approvals on Bob) performs the griefing attack and redeems another 1 share on DAY 13, the cooldownEnd has been extended by another 14 days.Bob calls the unstake function, but the transaction is reverted. If Alice keeps attacking like this, Bob will not be able to get his funds back anymore.Manual
We recommend setting nonces for each redeem attempt, and thus a cooldown period is set per attempt, so that redeem attempts won't interfere with each other.
Timing
#0 - c4-pre-sort
2023-10-31T07:41:07Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-31T07:41:18Z
raymondfam marked the issue as duplicate of #4
#2 - c4-pre-sort
2023-11-01T19:36:42Z
raymondfam marked the issue as duplicate of #514
#3 - c4-judge
2023-11-10T21:26:59Z
fatherGoose1 marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2023-11-17T17:04:09Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-11-20T20:20:10Z
fatherGoose1 marked the issue as grade-b