StakingRewards.sol withdraw() allows withdrawal of locked stakes without proper balance tracking

[jasonhuan]

In StakingRewards.sol L242, the withdraw() function does not check how much a user's balance of LP tokens comes from the locked portion of stakes, and thus may allow a user to withdraw from their locked balance. When doing so, it subtracts the non-boosted amount from _boosted_balances instead of the boosted, locked amount, and thus allows for people to manipulate their balance in the StakingRewards contract.

This bug has been reported by @samczsun.

Link to bug:

frax-solidity/contracts/Staking/StakingRewards.sol

Line 242 in 889b310

_staking_token_boosted_supply = _staking_token_boosted_supply.sub(amount);

[jasonhuan]

This bug has been fixed in commit 7d699a8 with the implementation of StakingRewardsV2.sol.

20,000 FXS will be rewarded, subject to bug bounty rules and vesting.