This vulnerability was reported through Immunefi and classified as Critical. What follows is an extract of the whitehat's report:

When some unstaked indexer tokens are already thawing, subsequent calls to unstake (specifically Stakes.lockTokens) use MathUtils.weightedAverage to work out the required extension to the lock-in ('thawing') period. Because the implementation rounds down, user requests to unstake a small proportion of additional GRT can be made without affecting the resulting lock duration.

Thus by making many small-volume calls to Staking.unstake when a large number of tokens are imminently approaching maturity, an attacker can unstake many additional tokens without being subject to a longer thawing time.

This enables malicious extraction of value from The Graph and ill-faith activity that would otherwise be mitigated by slashing of indexer stakes.