Summary

The `depositIntoVault` function in the smart contract facilitates the conversion and deposit of staked ETH into a WETH Steak vault, with the points assigned based on the initial stake. However, the off-chain system managing points does not account for the reduction of staked ETH or points when a user unstakes part of their ETH. The points system is triggered by the `STAKED` event, but it lacks mechanisms to adjust points when the staked amount changes due to unstaking.

Vulnerability Details

The root cause is that the off-chain point management system does not adjust or deduct points when a user unstakes their ETH. The `main.js` script that handles point calculation only listens for the `STAKED` event and updates the point balance without considering changes in staked amounts. As a result, points are assigned based on the initial stake and remain unchanged even if the user unstakes a portion of their ETH.

Impact

1. Accumulated Points Issue: Users retain points based on their initial stake amount, even if they unstake a significant portion. This discrepancy results in users accumulating points that do not accurately reflect their current staked amount.

2. Inaccurate Point Tracking: The point system becomes inaccurate as it does not adjust for the reduction in staked amounts. Users may have more points than they should if they unstake part of their ETH, leading to incorrect point balances.

3. Potential for Exploitation: Users can exploit this by staking the minimum amount to receive points and then unstaking a large portion immediately. This exploitation allows users to gain points without maintaining a significant stake, undermining the integrity of the point allocation system.

Tools Used

Manual Review

Recommendations

1. Implement Point Adjustment: Update the backend system to handle adjustments in points based on changes in staked amounts. This involves tracking both staking and unstaking actions and recalculating points accordingly.