Bug report template
Bug name
in the Accounts tab the received stake is not correct
Summary
In the Account tab under stake the “received stake” amount is off by at least 4 0’s. The wallet tab also shows the wrong amount if the received stake is over 1 Billion , but I assume this is an unlikely event in the mainnet.
How to exploit
look at the Accounts tab and the stake section
Exploitation results
Just a number display error
This was actually a smart contract bug you discovered! We tracked it down and fixed it.
Rating: Critical
Here is an explanation of what happened:
The problem is two things
- When the stake was delegated, the action only checked the available staked and not also the "unstaking"quantity, which is technically still self_staked but should not be able to be delegated. Because this check didn’t happen, the self_staked quantity was able to go below the unstaking quantiy, then when the unstake finished, the unstake quantity was subtracted from the self_staked and this caused the underflow.
- when you initiate a stake, there is another action, unstake.stop that can cancel the unstake before it’s finished. This is basically if you start unstaking, then change your mind, you can cancel and start over but this action was adding the unstake quantity to the self_stake quantity when called, causing your self_stake to be increased arbitrarily.
2 Likes