Stake may able to unlock before the StakeWithdrawalLockingPeriod pass in the first challenge period

[NingLin-P]

When an operator/nominator deregisters or withdraws stake, the stake is only able to unlock after StakeWithdrawalLockingPeriod number of domain blocks:

subspace/crates/pallet-domains/src/staking.rs

Lines 872 to 876 in a62bea9

	let latest_confirmed_domain_block_number =
	Pallet::<T>::latest_confirmed_domain_block_number(operator.current_domain_id);
	let unlock_at_confirmed_domain_block_number = latest_confirmed_domain_block_number
	.checked_add(&T::StakeWithdrawalLockingPeriod::get())
	.ok_or(Error::BlockNumberOverflow)?;

But because we are using the confirmed domain block number to calculate the unlocked block number, in the first challenge period of a new instantiated domain, the latest_confirmed_domain_block_number is always zero since only the genesis receipt is confirmed, as a result, anyone deregister/withdraw in the first challenge period will be able to unlock at the same block 0 + StakeWithdrawalLockingPeriod, no matter it is deregistered/withdraw at the first block or the last of the challenge period. So the attacker may able to submit a bad ER and deregister in the last block of the challenge period and unlock its fund in the next block before it is slashed by fraud proof.

To fix it we should use the head domain number to calculate the unlocked block number: HeadDomainNumber + StakeWithdrawalLockingPeriod

cc @vedhavyas @dariolina