GRT: unlockMaturity() function could return wrong results #79
Description
TRST-L-3 The unlockMaturity() function could return wrong results
• Category: Validation flaws
• Source: GraphAdapter.sol
• Status: Acknowledged
Description
In Tenderizers, the unlockMaturity() should return the block number in which the given unlockID is unlocked.
function unlockMaturity(uint256 unlockID) external view override returns (uint256) {
Storage storage $ = _loadStorage();
Unlock memory unlock = $.unlocks[unlockID];
uint256 THAWING_PERIOD = GRAPH.thawingPeriod();
// if userEpoch == currentEpoch, it is yet to unlock
// => unlockBlock + thawingPeriod
// if userEpoch == currentEpoch - 1, it is processing
// => unlockBlock
// if userEpoch < currentEpoch - 1, it has been processed
// => 0
uint256 unlockBlock = $.lastEpochUnlockedAt + THAWING_PERIOD; if (unlock.epoch == $.currentEpoch) {
return THAWING_PERIOD + unlockBlock;
} else if (unlock.epoch == $.currentEpoch - 1) {
return unlockBlock;
} else {
return 0; }
}
The issue is that the function does not validate that unlockID exists. If it doesn't, the unlock.epoch value would be zero as mapping values are zero initialized. Then, the value would be wrong depending on the state of $.currentEpoch. Integration with external projects could introduce security risks as well as front-end issues.
Recommended mitigation
Require that unlock.shares is not zero in unlockMaturity().