MorpheusAI

Summary

The totalSupply function in StETHMock contract is overridden to return totalPooledEther instead of totalShares. This could lead to confusion as totalSupply typically represents the total number of tokens (shares in this context), not the underlying asset amount.

Vulnerability Details

In the context of ERC20 tokens, the totalSupply function typically returns the total number of tokens in existence. In this contract, however, totalSupply has been overridden to return the totalPooledEther instead. This could potentially lead to confusion for anyone interacting with the contract, as they might expect totalSupply to return the total number of shares (tokens), not the total amount of pooled Ether.

Impact

This inconsistency could also cause issues with integrations with other contracts or services that expect totalSupply to behave in the standard way. For example, a decentralized exchange might use totalSupply to calculate the price per token, which would be incorrect if totalSupply is returning the total pooled Ether instead of the total number of tokens.

Tools Used

Manual Review

Recommendations

To avoid this confusion and potential integration issues, it would be more consistent to have totalSupply return totalShares, which represents the total number of tokens (shares) in existence. If it's necessary to know the totalPooledEther, a separate function could be created for that purpose. Here's how the code could be modified to reflect this:

With these changes, totalSupply would return the total number of shares, consistent with the typical behavior of ERC20 tokens, and totalPooledEther would be accessible through its own dedicated function. This would make the contract's interface more intuitive and consistent with standard ERC20 behavior, reducing the potential for confusion or integration issues.