[N-01] Split Misleading ExchangeRateUpdated Event (#14)

Author: mzhakun

README.md

@@ -416,7 +416,7 @@ Where:
 - Dead shares: 1000 shares minted to `0xdead` on first deposit (prevents share inflation / first depositor attack)
 - Cashback reserve: tracked separately from staking pool, protected from `emergencyWithdraw`
 - Staking reserve: tracked separately, protected from `emergencyWithdraw`, reclaimable via `defundStakingReserve()`
-- Emergency withdraw: for RNBW, only excess above `totalPooledRnbw + cashbackReserve + stakingReserve + undistributedFees` can be withdrawn -- the pool, both reserves, and pending drip fees are untouchable. Non-RNBW tokens have no restriction (rescue for accidental sends).
+- Emergency withdraw: for RNBW, the transfer is capped at excess above `totalPooledRnbw + cashbackReserve + stakingReserve + undistributedFees` -- if the requested amount exceeds excess, it is silently capped (check `EmergencyWithdrawn` event for actual amount). The pool, both reserves, and pending drip fees are untouchable. Non-RNBW tokens pass through uncapped (rescue for accidental sends).
 - Min stake floor: `minStakeAmount` cannot be set below 1 RNBW
 - Inflation guard: `ZeroSharesMinted` revert protects depositors from rounding attacks
 - Residual sweep: when only dead shares remain, `totalPooledRnbw` and `undistributedFees` are swept to safe and pool is reset
@@ -542,7 +542,7 @@ Backend responsibility: filter amounts that would mint 0 shares at current rate,
 
 ### No admin access to pool or reserve
 
-There is no function that lets the admin withdraw from `totalPooledRnbw`. Pool RNBW is only withdrawable by stakers burning shares. Cashback reserve is consumable via signed allocations or reclaimable via `defundCashbackReserve()`. Staking reserve is consumable via `stakeForWithSignature` or reclaimable via `defundStakingReserve()`. `emergencyWithdraw` is restricted to excess RNBW above all four tracked pools (`totalPooledRnbw + cashbackReserve + stakingReserve + undistributedFees`). To wind down the protocol: stop new stakes (disable frontend / revoke signers), let existing users unstake normally, residual sweeps to safe when pool empties. Note: `pause()` is an emergency brake that freezes everything including unstaking -- it is not a wind-down mechanism.
+There is no function that lets the admin withdraw from `totalPooledRnbw`. Pool RNBW is only withdrawable by stakers burning shares. Cashback reserve is consumable via signed allocations or reclaimable via `defundCashbackReserve()`. Staking reserve is consumable via `stakeForWithSignature` or reclaimable via `defundStakingReserve()`. `emergencyWithdraw` caps RNBW transfers at excess above all four tracked pools (`totalPooledRnbw + cashbackReserve + stakingReserve + undistributedFees`) -- requested amounts above excess are silently capped. To wind down the protocol: stop new stakes (disable frontend / revoke signers), let existing users unstake normally, residual sweeps to safe when pool empties. Note: `pause()` is an emergency brake that freezes everything including unstaking -- it is not a wind-down mechanism.
 
 ## Future: Liquid Staking Token (xRNBW)
 

src/RNBWStaking.sol

@@ -288,16 +288,11 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
     /// @inheritdoc IRNBWStaking
     function previewStake(address user, uint256 amount) external view returns (uint256 sharesToMint) {
         if (shares[user] == 0 && amount < minStakeAmount) return 0;
-        if (totalShares == 0) {
-            if (amount <= MINIMUM_SHARES) return 0;
-            sharesToMint = amount - MINIMUM_SHARES;
-        } else {
-            sharesToMint = (amount * totalShares) / _effectivePooledRnbw();
-        }
+        return getSharesForRnbw(amount);
     }
 
     /// @inheritdoc IRNBWStaking
-    function isNonceUsed(address user, uint256 nonce) external view returns (bool) {
+    function isNonceUsed(address user, uint256 nonce) public view returns (bool) {
         return usedNonces[user][nonce];
     }
 
@@ -354,7 +349,8 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
             uint256 balance = RNBW_TOKEN.balanceOf(address(this));
             uint256 reserved = totalPooledRnbw + cashbackReserve + stakingReserve + undistributedFees;
             uint256 excess = balance > reserved ? balance - reserved : 0;
-            if (amount > excess) revert InsufficientExcess();
+            if (excess == 0) revert InsufficientExcess();
+            amount = amount > excess ? excess : amount;
         }
         IERC20(token).safeTransfer(safe, amount);
         emit EmergencyWithdrawn(token, amount);
@@ -364,6 +360,9 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
     function proposeSafe(address newSafe) external onlySafe {
         if (newSafe == address(0)) revert ZeroAddress();
         if (newSafe == safe) revert NoChange();
+        if (pendingSafe != address(0)) {
+            emit SafeProposalCancelled(safe, pendingSafe);
+        }
         pendingSafe = newSafe;
         emit SafeProposed(safe, newSafe);
     }
@@ -593,7 +592,7 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
         if (block.timestamp > expiry) revert SignatureExpired();
 
         // 2. Check nonce hasn't been used (prevents replay attacks)
-        if (usedNonces[user][nonce]) revert NonceAlreadyUsed();
+        if (isNonceUsed(user, nonce)) revert NonceAlreadyUsed();
 
         // 3. Recover signer from EIP-712 typed data hash
         bytes32 digest = _hashTypedDataV4(structHash);
@@ -704,6 +703,7 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
 
         // 10. Emit events
         emit Unstaked(user, sharesToBurn, rnbwValue, exitFee, netAmount);
+        emit PoolTotalsUpdated(totalPooledRnbw, totalShares);
     }
 
     /// @dev Stakes from the pre-funded staking reserve — no token transfer,
@@ -757,6 +757,7 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
 
         // 5. Emit events
         emit Staked(user, amount, sharesToMint, shares[user]);
+        emit PoolTotalsUpdated(totalPooledRnbw, totalShares);
     }
 
     /// @dev Allocates cashback by minting shares directly in one step.
@@ -773,7 +774,7 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
         }
 
         // 3. Calculate shares to mint at the current exchange rate
-        assert(totalShares > 0);
+        //    totalShares > 0 guaranteed by shares[user] > 0 check above.
         uint256 sharesToMint = (rnbwCashback * totalShares) / totalPooledRnbw;
 
         // 4. Revert if cashback is too small to mint shares — backend should
@@ -794,5 +795,6 @@ contract RNBWStaking is IRNBWStaking, ReentrancyGuard, Pausable, EIP712 {
 
         // 7. Emit events
         emit CashbackAllocated(user, rnbwCashback, sharesToMint);
+        emit PoolTotalsUpdated(totalPooledRnbw, totalShares);
     }
 }

src/interfaces/IRNBWStaking.sol

@@ -59,6 +59,12 @@ interface IRNBWStaking {
     /// @param totalShares The total shares outstanding
     event ExchangeRateUpdated(uint256 totalPooledRnbw, uint256 totalShares);
 
+    /// @notice Emitted after stake, unstake, or cashback allocation — pool totals change but
+    ///         the exchange rate stays ~constant (both sides scale proportionally, modulo rounding dust).
+    /// @param totalPooledRnbw The total RNBW in the staking pool
+    /// @param totalShares The total shares outstanding
+    event PoolTotalsUpdated(uint256 totalPooledRnbw, uint256 totalShares);
+
     /// @notice Emitted when the exit fee is updated
     /// @param oldExitFeeBps The previous exit fee in basis points
     /// @param newExitFeeBps The new exit fee in basis points
@@ -416,7 +422,8 @@ interface IRNBWStaking {
     /// @param amount The amount of RNBW to reclaim
     function defundCashbackReserve(uint256 amount) external;
 
-    /// @notice Propose a new safe address (step 1 of 2-step transfer, callable by current safe only)
+    /// @notice Propose a new safe address (step 1 of 2-step transfer, callable by current safe only).
+    ///         If a previous proposal exists, it is implicitly cancelled (emits SafeProposalCancelled).
     /// @param newSafe The proposed new safe address
     function proposeSafe(address newSafe) external;
 

test/RNBWStaking.t.sol

@@ -103,6 +103,15 @@ contract RNBWStakingTest is Test {
         assertEq(rnbwToken.balanceOf(alice), INITIAL_BALANCE - amount);
     }
 
+    function test_StakeEmitsPoolTotalsUpdated() public {
+        vm.startPrank(alice);
+        rnbwToken.approve(address(staking), 100 ether);
+        vm.expectEmit(true, true, false, true);
+        emit IRNBWStaking.PoolTotalsUpdated(100 ether, 100 ether);
+        staking.stake(100 ether);
+        vm.stopPrank();
+    }
+
     function test_StakeRevertZeroAmount() public {
         vm.prank(alice);
         vm.expectRevert(IRNBWStaking.ZeroAmount.selector);
@@ -309,6 +318,23 @@ contract RNBWStakingTest is Test {
         assertEq(staking.totalPooledRnbw(), 110 ether);
     }
 
+    function test_AllocateCashbackEmitsPoolTotalsUpdated() public {
+        vm.startPrank(alice);
+        rnbwToken.approve(address(staking), 100 ether);
+        staking.stake(100 ether);
+        vm.stopPrank();
+
+        _depositCashback(10 ether);
+
+        uint256 nonce = 1;
+        uint256 expiry = block.timestamp + 60;
+        bytes memory sig = _signAllocateCashback(alice, 10 ether, nonce, expiry);
+
+        vm.expectEmit(true, true, false, true);
+        emit IRNBWStaking.PoolTotalsUpdated(110 ether, 110 ether);
+        staking.allocateCashbackWithSignature(alice, 10 ether, nonce, expiry, sig);
+    }
+
     function test_AllocateCashbackRevertNoPosition() public {
         _depositCashback(10 ether);
 
@@ -520,6 +546,21 @@ contract RNBWStakingTest is Test {
         assertEq(rnbwToken.balanceOf(admin), 50 ether);
     }
 
+    function test_EmergencyWithdrawCapsAtExcess() public {
+        vm.startPrank(alice);
+        rnbwToken.approve(address(staking), 100 ether);
+        staking.stake(100 ether);
+        vm.stopPrank();
+
+        rnbwToken.mint(address(staking), 30 ether);
+
+        uint256 adminBefore = rnbwToken.balanceOf(admin);
+        vm.prank(admin);
+        staking.emergencyWithdraw(address(rnbwToken), 100 ether);
+
+        assertEq(rnbwToken.balanceOf(admin) - adminBefore, 30 ether);
+    }
+
     function test_EmergencyWithdrawRevertInsufficientExcess() public {
         vm.startPrank(alice);
         rnbwToken.approve(address(staking), 100 ether);