Active Boosts

#42711 [SC-Insight] Incorrect Index Handling in `unstake` and `rageQuit` Leading to Potential Fund Loss

Submitted on Mar 25th 2025 at 13:13:44 UTC by @x60scs for Audit Comp | Yeet

  • Report ID: #42711

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol

  • Impacts:

    • Permanent freezing of funds

Description

Brief/Intro

In the StakeV2 contract, when the rageQuit and unstake functions are used, the order of the user's vestings array changes. This can lead to calling functions with incorrect indexes, causing users to perform unintended unstake or rageQuit operations, which may result in fund loss.

Vulnerability Details

This issue arises due to the way the vestings array is managed. When a user calls startUnstake, the request is stored at a specific index in the array. However, when unstake(index) or rageQuit(index) is executed, the array is reordered, causing indexes to shift. If the user or dApp performs an operation based on previous indices, or if the dApp does not update the page, they may unintentionally unstake the wrong position using unstake(index) or rageQuit(index)

Example Scenario

  1. The user initiates 5 different startUnstake requests:

    • Unstake array: (a, b, c, d, e)

    • Assigned indexes: (0, 1, 2, 3, 4)

  2. The user calls unstake(2), removing c. The array is updated as follows:

    • New array: (a, b, d, e)

    • New indexes: (0, 1, 2, 3)

    • Important: d's previous index 3 is now 2, and e's previous index 4 is now 3.

  3. If the user or a dApp, based on outdated information, calls rageQuit(3), expecting to exit d, they would actually exit e instead.

Impact Details

This vulnerability can cause users to exit the wrong vesting position, leading to unintended rageQuit operations and potential fund loss.

References

https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/StakeV2.sol#L399-L408

Recommendation

A bool isUnstake variable can be added to the Vesting struct. Additionally, minimum stake and minimum unstake conditions can be introduced to protect against DOS attacks.

Proof of Concept

Proof of Concept

Previous#42718 [SC-High] zapOut methods in zapper contract incorrectly use _msgSender() instead of receiver when sending back remainder tokensNext#42723 [SC-Critical] Unstaked Tokens Included in Excess Reward Calculation Can Cause DoS for Unstaking Users

Was this helpful?