From 24fdcd3dcd7ba96243d9badcb534ea0339734aba Mon Sep 17 00:00:00 2001
From: openhands <openhands@all-hands.dev>
Date: Fri, 27 Feb 2026 06:33:32 +0000
Subject: [PATCH] fix: Stake.sol: exitPosition guard order (owner check before
 existence) (#307)

Check pos.creationTime == 0 before pos.owner != msg.sender so that
calling exitPosition on a non-existent position correctly reverts with
PositionNotFound instead of the misleading NoPermission(caller, 0x0).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 onchain/src/Stake.sol | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/onchain/src/Stake.sol b/onchain/src/Stake.sol
index b91b9f5..0557df8 100644
--- a/onchain/src/Stake.sol
+++ b/onchain/src/Stake.sol
@@ -323,12 +323,12 @@ contract Stake {
     /// @dev Pays the due taxes based on the TAX_FLOOR_DURATION and returns the remaining assets to the position owner.
     function exitPosition(uint256 positionId) external {
         StakingPosition storage pos = positions[positionId];
-        if (pos.owner != msg.sender) {
-            revert NoPermission(msg.sender, pos.owner);
-        }
         if (pos.creationTime == 0) {
             revert PositionNotFound(positionId, msg.sender);
         }
+        if (pos.owner != msg.sender) {
+            revert NoPermission(msg.sender, pos.owner);
+        }
         // to prevent snatch-and-exit grieving attack, pay TAX_FLOOR_DURATION
         _payTax(positionId, pos, TAX_FLOOR_DURATION);
         _exitPosition(positionId, pos);