stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Incorrect accounting of reSDL supply across chains

juan

Summary

Incorrect accounting of reSDL supply across chains can arise if SDLPoolSecondary::executeQueuedOperations is not called on every lockId that has a queued update.

Vulnerability Details

In SDLPoolSecondary::_queueLockUpdate, queuedRESDLSupplyChange is updated, so that later an update can be sent to the primary chain, to update the RESDL total supply in the primary chain.

queuedRESDLSupplyChange +=
int256(lockUpdate.lock.amount + lockUpdate.lock.boostAmount) -
int256(lock.amount + lock.boostAmount);
if (updateNeeded == 0) updateNeeded = 1;

However, the only way for this change to be reflected in the SDLPoolSecondary is for SDLPoolSecondary::executeQueuedOperations to be executed on each of the queued locks that have an update.

Impact

While SDLPoolSecondary::executeQueuedOperations has not been called on every queued lockId that had an update, the effective balances will not be synced across chains.

Tools Used

Manual Review

Recommendations

In SDLPoolSecondary, Move the following code:

queuedRESDLSupplyChange +=
int256(lockUpdate.lock.amount + lockUpdate.lock.boostAmount) -
int256(lock.amount + lock.boostAmount);
if (updateNeeded == 0) updateNeeded = 1;

Into the _executeQueuedLockUpdates function, so that the updates in reSDL supply are kept in sync.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.