stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of maximum supply checks when minting new `reSDL` tokens.

0xbrett8571

Summary

No checks for total supply limits when minting new reSDL tokens. This could lead to inflation.

Vulnerability Details

Stems from the SDLPoolPrimary.handleIncomingUpdate() and SDLPoolSecondary._queueNewLock() functions which mint new reSDL tokens without imposing any limits.

Specifically, in SDLPoolPrimary.handleIncomingUpdate(), the contract mints _numNewRESDLTokens by simply incrementing the lastLockId counter. There are no checks to prevent minting an excessive number of tokens: SDLPoolPrimary.handleIncomingUpdate

function handleIncomingUpdate(uint256 _numNewRESDLTokens, int256 _totalRESDLSupplyChange)

external

onlyCCIPController

returns (uint256)

{

uint256 mintStartIndex;

if (_numNewRESDLTokens != 0) {

mintStartIndex = lastLockId + 1;

lastLockId += _numNewRESDLTokens;

}

Similarly, in SDLPoolSecondary._queueNewLock(), new locks are queued without any limit besides the per-account queuedNewLockLimit. But even this limit does not restrict the total number of new tokens created. SDLPoolSecondary._queueNewLock()

function _queueNewLock(

address _owner,

uint256 _amount,

uint64 _lockingDuration

) internal {

if (newLocksByOwner[_owner].length >= queuedNewLockLimit) revert TooManyQueuedLocks();

Lock memory lock = _createLock(_amount, _lockingDuration);

queuedNewLocks[updateBatchIndex].push(lock);

Impact

The impact of this is that new reSDL tokens can be arbitrarily minted without any maximum cap. This could lead to unbounded inflation as the total supply keeps increasing.

Tools Used

Recommendations

I recommend adding a totalRESDLSupplyLimit variable and modifying the minting logic to check. This would prevent exceeding a defined maximum supply and mitigate the risk of unbounded inflation.

Updates

Lead Judging Commences

0kage Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.