0xRajkumar - Delegating Stake Without Claiming Reward Causes Loss #224
Comments
sherlock-admin3
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
sherlock-admin3
changed the title
0xRajkumar
High
Delegating Stake Without Claiming Reward Causes Loss
Summary and Vulnerability Detail
In
L2Staking, we have a function that allows stake delegation to a delegatee.This function then calls notifyDelegation in the Distribute contract, and if newDelegation is true, it will modify unclaimedStart to effectiveEpoch.
If a user delegates stake without claiming rewards from their previous stake, he will lose those rewards.
Scenario: A user delegates their stake to a delegatee and, after some epochs, decides to undelegate the stake. Later, the user chooses to delegate to the same delegatee again, but first calls claimUndelegation to pass the requirement
require(!_unclaimed(_msgSender(), delegatee), "undelegation unclaimed"). However, when the user delegates the stake again, they will lose the rewards from the previous delegation.This is a smart contract issue, not the user’s mistake. There should either be a function that allows users to claim rewards from their previous stake, or we should enforce a rule that prevents users from delegating again without first claiming their previous rewards.
Impact
Impact is high because it causes loss of user rewards.
Tool used
Manual Review
Recommendation
There should either be a function that allows users to claim rewards from their previous stake, or we should enforce a rule that prevents users from delegating again without first claiming their previous rewards.
References
https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l2/staking/Distribute.sol#L94-L114
The text was updated successfully, but these errors were encountered: