stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: medium
Invalid

Inconsistent delegatorPool handling in SDLPoolPrimary

Summary

The SDLPoolPrimary contract has a critical design flaw related to the static nature of the delegatorPool address, which poses a risk for future migration processes, especially when the ccipController is updated or if the delegatorPool is initially set to zero.

Vulnerability Details

The vulnerability stems from the contract's inability to update the delegatorPool address post-initialization. During the initialization phase, the delegatorPool is conditionally set but lacks a mechanism for subsequent updates. This static approach becomes problematic when the ccipController (linked to the delegatorPool) is updated to a new address or the ccipController has zero address on the initializer function, as the delegatorPool remains unchanged, leading to potential discrepancies.

if (delegatorPool == address(0)) {
__SDLPoolBase_init(_name, _symbol, _sdlToken, _boostController);
} else {
delegatorPool = ccipController;

Impact

This limitation hinders the contract's ability to effectively migrate stakes if the ccipController changes, as the migration process relies on the delegatorPool address. The lack of flexibility to update this address can lead to operational challenges and may compromise the security and functionality of the contract in the future.

Tools Used

Manual Review

Recommendations

Implement a function to update the delegatorPool address, ensuring it remains synchronized with the ccipController. This update mechanism should include necessary checks and validations to maintain contract integrity. Additionally, consider initializing the delegatorPool explicitly in all scenarios to avoid issues when it is set to zero initially.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
holydevoti0n Submitter
over 1 year ago
0kage Lead Judge
over 1 year ago
holydevoti0n Submitter
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.