Users could shift tokens on `Staker` with more than he has staked

[code423n4]

Handle

shw

Vulnerability details

Impact

The shiftTokens function of Staker checks whether the user has staked at least the number of tokens he wants to shift from one side to the other (line 885). A user could call the shiftTokens function multiple times before the next price update to shift the staker's token from one side to the other with more than he has staked.

Proof of Concept

Referenced code:
Staker.sol#L885

Recommended Mitigation Steps

Add checks on userNextPrice_amountStakedSyntheticToken_toShiftAwayFrom_long and userNextPrice_amountStakedSyntheticToken_toShiftAwayFrom_short to ensure that the sum of the two variables does not exceed user's stake balance.

[JasoonS]

Yes, spot on! We spotted this the next morning after launching the competition. Token shifting was a last minute addition to the codebase. Really glad someone spotted it, but only in the last few hours, phew!

This would allow a malicious user to completely shift all the tokens (even those not belonging to them to one side or the other!!)
No funds could be stolen by the user directly (since the execution of those shifts would fail on the user level), but it could be done for personal gain (eg improving the users FLT issuance rate, or similar economic manipulation).