Lines of code
<https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L185-L189>
<https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L221>
Because pools will likely never be fully utilised by stakers while active, the following assumption in withdrawExcessRewards() can be broken by preventing any receipt withdrawal:
require(pool.totalDepositsWei == 0, 'Cannot withdraw until all deposits are withdrawn');
There are two main ways that this assumption can be broken:
Make use of a grace period after a pool’s staking period ends. This should give ample time to stakers to make the necessary withdrawal on the pool. Subsequently, the withdrawExcessRewards() function should be callable by anyone, allowing all funds unused funds to be withdrawn.
The text was updated successfully, but these errors were encountered:
All reactions