Liquid Staking

Summary

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/OperatorStakingPool.sol#L132-L135

Vulnerability Details

Operator can withdraw more than it's share amount in contract and can decrease total share and share balance to zero, and withdraw more than what is can withdraw. this will cause in miss calculation that other contract use and also lock funds due to wrong number of totalShare and shareBalance.

Impact

Contract that use the totalShare and shareBalance variable value will access wrong value and will lead to wrong calculation

Tools Used

Manual Review

Recommendations

Store each operator deposit amount and when they withdraw the shouldn't withdraw more than what the has in the contract.

++ mapping(address splitter => uint256 splitterDepositAmount) public operatorShareBalance;

function onTokenTransfer(address _sender, uint256 _value, bytes calldata) external {

if (msg.sender != address(lst)) revert InvalidToken();

if (!isOperator(_sender)) revert SenderNotAuthorized();

if (getOperatorStaked(_sender) + _value > depositLimit) revert ExceedsDepositLimit();

uint256 sharesAmount = lst.getSharesByStake(_value);

shareBalances[_sender] += sharesAmount;

++ operatorShareBalance[msg.sender] += shareAmount;

totalShares += sharesAmount;

emit Deposit(_sender, _value, sharesAmount);

}

\

function _withdraw(address _operator, uint256 _amount) private {

uint256 sharesAmount = lst.getSharesByStake(_amount);

if( sharesAmount != operatorShareBalance[msg.sender]) revert AmountExceedThanActualDepositAmount();

shareBalances[_operator] -= sharesAmount;

totalShares -= sharesAmount;

emit Withdraw(_operator, _amount, sharesAmount);

}