-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(StakeVault): make unstaking actually work #41
Conversation
b5963f7
to
83ca038
Compare
Indeed, it should use transfer instead of transferFrom in the unstake method. Why its using these safeTransfer and safeTransferFrom? |
I've used If we're 100% certain this will only ever be used with SNT that we have designed, then we can also use plain |
If the users trust a token that misbehave ERC20 spec, thats user responsability. I am unsure how that would work, but essentially staking should be over a token that is trusted by the community, in a social setting. If we are willing to babysit the user for this, than why arent we doing it for everything else? I don't think that using safeTransferFrom and safeTransfer would cause any problem, but I think is a fix that we don't need, or at least, is not part of making unstaking work. |
Yes, very fair. I considered splitting this up into multiple commits. One that fixes the bug and another one that introduces I will undo this change and rely on plain Just so this is on the record, unless we specify the constraints and limits of the system clearly, this would probably be one of the things security auditors will point out as a high or mid. |
Unstaking didn't actually work because it was using `transferFrom()` on the `StakeVault` with the `from` address being the vault itself. This would result in an approval error because the vault isn't creating any approvals to spend its own funds. The solution is to use `transfer` instead and ensuring the return value is checked.
83ca038
to
1ec8ad3
Compare
@3esmit I've updated the PR with the following:
Let me know if this does the job for you |
Unstaking didn't actually work because it was using
transferFrom()
on theStakeVault
with thefrom
address being the vault itself. This would result in an approval error because the vault isn't creating any approvals to spend its own funds.The solution is to use
transfer
instead, or rathersafeTransfer
using SafeERC20 utilities.Checklist
Ensure you completed all of the steps below before submitting your pull request:
forge snapshot
?pnpm lint
?forge test
?pnpm verify
?