Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Rainmaker>Discussion>Withdrawal redeems all tokens
GeneralOverview
Findings
Critical (3)
Medium (4)
Informational (2)
DiscussionWithdrawal redeems all tokensUnderlying vault requires verification
Threat ModelsWhat are threat models?DefinitiveRewardToken.solDefinitiveStakingManager.sol
Audit ResultsSummary

Withdrawal redeems all tokens

When a user performs a withdrawal, the staking manager will redeem all rewardTokens they own as well. This behavior might be confusing, especially because _withdraw takes _lpTokenAmount as a parameter. A user might expect withdraw to redeem _lpTokenAmount of total tokens; instead, it withdraws _lpTokenAmount of the user's balance along with their entire balance of rewardTokens.

// burn reward tokens and get token credits
uint256 rewardTokenBalance = rewardToken.balanceOf(msg.sender);
rewardToken.burn(msg.sender, rewardTokenBalance);

In general, it may be unfavorable to withdraw in only a single token. Due to the underlying pool mechanics, this may cause users to experience excessive slippage. We suggest removing this functionality from withdraw and implementing a separate function for redepositing reward tokens into the protocol.

Alternatively, Rainmaker could simply make this behavior clear to users through documentation.

Zellic © 2024Back to top ↑