Lines of code
<https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/TokenggAVAX.sol#L191>
Redeem/withdraw functionality will fail under certain conditions and users who want to redeem/withdraw their AVAX will not be able to.
Users stake their AVAX and in return get ggAVAX. The AVAX provided by the users is then staked by the MiniPoolManager for a minimum period of 14 days. The problem arises because tokenggAVAX allows any user holding ggAVAX to burn them for their staked AVAX even during a staking period/reward cycle. Assuming 1010 AVAX were supplied by 1010 users(1:1) and 1000 AVAX(minimum amount) were sent to MiniPoolManager to be staked. Now we have 10 AVAX left in tokenggAVAX. This means if 20 users decided to withdraw/redeem their ggAVAX for AVAX, tokenggAVAX would become insolvent and users would not be able to redeem/withdraw.
Manual
Add a user-specified time lock during deposits for withdrawing funds unique to every user. This reduces the chances of multiple users wanting to redeem/withdraw at the same time.
The text was updated successfully, but these errors were encountered:
All reactions