SDLPoolCCIPControllerSecondary.performUpkeep doesn't check if pool needs update
Summary
SDLPoolCCIPControllerSecondary.performUpkeep doesn't check if pool needs update, which will make updates to be really rare.
Vulnerability Details
SDLPoolCCIPControllerSecondary.performUpkeep function checks if update is needed. If yes, then it processes next batch of queued actions.
shouldUpdate variable is set to true only in one case: when rewards has come from primary chain and some actions are already queued in the secondary pool. In other cases it will be not possible to execute queued actions.
When secondary pool will be created, then everyone can stake into it, but their tokens will be just sitting in the contract adn waiting until at least one lock from primary chain will be bridged to the secondary chain. This is because, otherwise rewards of the chain will be always 0 and ccip call will not be sent to the destination.
As result staked dsl of the users will be temporarily freezed on the child chain adn during that time they will not be able to do anything with the lock.
Another problem is that stakers of secondary pool will not be able to execute their actions as soon as they wish and they will depend on rewards distribution. They should always wait when next distribution is done, so their queued actions are processes. So they should wait more time.
Impact
Users can't process their actions fast. First stakers will wait when someone will brodge lock from primary chain.
Tools Used
VsCode
Recommendations
Give ability for users to execute ccip call to primary pool and pay for it.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.