stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: high
Invalid

Delayed reSDL supply update impacting secondary chain rewards

Summary

The SDLPoolCCIPControllerSecondary contract faces a synchronization issue in updating the reSDL supply between the secondary and primary chains, leading to potential discrepancies in reward distributions.

Vulnerability Details

The flaw is identified in the _ccipReceive function. The secondary chain fails to update its reSDL supply in sync with the primary chain, unless there's a distribution of SDL tokens as rewards. This behavior results in the secondary chain being frequently out of sync, especially when the reward distribution doesn't impact the reSDL supply.

if (ISDLPoolSecondary(sdlPool).shouldUpdate()) shouldUpdate = true;

Impact

This desynchronization can lead to the secondary chain often being out of sync with the primary chain, resulting in inaccurate reward distributions. Over time, this issue can cause significant discrepancies in reward allocation.

Tools Used

Manual Review

Recommendations

The recommended fix is to adjust the update mechanism. Directly check ISDLPoolSecondary(sdlPool).shouldUpdate() in both the checkUpkeep and performUpkeep functions instead of using the storage variable shouldUpdate. This change ensures the secondary chain stays up-to-date with the primary chain's reSDL supply, independent of the reward distribution events.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.