Implementation-Whitepaper Discrepancy: Missing Minimum Stake Enforcement in `LiquidationPool` Contract
Summary
The LiquidationPool contract allows users to stake TST and EUROs tokens to participate in the liquidation pool. According to the project's whitepaper, there is a minimum stake requirement of 100 sEURO for users to participate (Please refer 2.8.1 Liquidation Pool). However, the current implementation of the increasePosition function in the contract does not enforce this minimum stake rule. This discrepancy could lead to users staking amounts below the intended threshold, potentially causing operational issues or enabling misuse of the system.
Vulnerability Details
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L134C5-L135C47
See the above code, there is no check to make sure that the staked EUROs is 100 or greater.
Impact
The absence of a minimum stake enforcement check could allow users to participate with stakes that are too small, which may not align with the economic and security assumptions made in the whitepaper. It could also lead to increased state bloat if many small stakes are recorded on-chain.
Tools Used
Manual Review
Recommendations
Introduce a check in the increasePosition function to enforce the minimum stake requirement as specified in the whitepaper.
The check should compare the EUROs value being staked against the minimum required amount, taking into account the token's decimals.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.