I have included screenshots below for the issue explained. As can be seen in image 1 I have already just under 235 CANTO staked. I initially had 242 + decimals CANTO and tried to stake all of it and figured gas would be included which happened but the CANTO didn't stake. To make sure there isn't maybe a confirmation that has to happen on the validator side or something else I gave this over 30 minutes time and then came back but the results were the same with nothing staked even though everything seemed normal and a success message was given. On a second attempt I staked 235 CANTO, it went through without any issue like before but this time my CANTO actually staked as can be seen with the first validator. I then proceeded to see if the bug is valid with screenshots 2 and forward. At this point I had 7 + decimals CANTO. Selecting MAX to stake all CANTO. Signing transaction without any issues. Waiting for transaction confirmation. Receiving message that CANTO has been successfully staked. Unfortunately the CANTO has not been staked. As can be seen, my CANTO is still in my wallet albeit of course a little less for gas. Severity: Low / Non critical Issue: This is not a security issue but much more a UX issue given that the CANTO token gets used for both staking and gas in this instance. Given low gas, gas isn't much of an issue although a user can actually somehow drain their own balance. This will certainly take A LOT of dedication with a low balance or maybe they develop a bot to re-delegate this after the 21 day period and then the bot goes into a loop because it gets success, although success has not been achieved and they forgot to put a timelock on the bot. I haven't tested the re-delegate option as 21 days hasn't passed yet for me but it might be similar. The user might also be fairly new to DeFi and is just left incredibly confused or think something is wrong on their end without looking up their address on the block explorer. I initially didnt do this either as stated above because the gas cost made a marginal difference to my account and I received the success message. The more notably and biggest issue is that it says that CANTO has been staked although it hasn't. It essentially processes the transaction but given that the transaction is MAX and gas needs to be included the transactions essentially reverts, saying it is staked instead of an error. Mitigation Recommendations: If you use a bank account you don't have to calculate bank costs, although you do get a notification if your account is low. The frontend can definitely be taken into account with a potential pop-up when users select MAX that states users should take gas into account when staking MAX and leave at least 1 CANTO or whichever number the developers decide for gas costs at all times when staking etc. or else people might use the MAX option to its full extend but never actually have their CANTO staked. 1 CANTO is definitely more than enough but also easy to remember. 1 - balance is also easy to calculate. When a v3 upgrade occur this can maybe be baked into the system with a message that states something similar but states that 1 CANTO is automatically deducted for max staked amount for gas costs given that gas is constantly fluctuating and not in the control of CANTO but supply, demand and validators. This might also lower the fatality of failed transactions and having essential UX like this will make it much easier for users to actually use the blockchain ecosystem not having to worry about the backend processes like gas to stake and potentially use other parts of the ecosystem.
