Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

First donator issue

bladesec

Summary

A malicious user can donate tokens to StakingPool right after it's deployed so that stakers receive zero shares.

Vulnerability Details

The StakingPool contract has donateTokens function where it increases totalStaked without increasing shares.

On the other hand, when users try to deposit tokens to the staking pool, it calculates shares as follows:

function getSharesByStake(uint256 _amount) public view returns (uint256) {
uint256 totalStaked = _totalStaked();
if (totalStaked == 0) {
return _amount;
} else {
return (_amount * totalShares) / totalStaked;
}
}

When a malicious user donated to StakingPool before any deposit happens, totalStaked will be positive while totalShares is zero.

As a result, any user who stakes tokens to the staking pool will receive zero shares.

Impact

  • Loss of funds for stakers

Tools Used

Manual Review

Recommendations

The protocol should not allow token donation when totalShares is zero.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

donateTokens() allows a malicious user to manipulate the system in such a way that users may receive 0 shares.

Appeal created

inallhonesty Lead Judge
9 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[INVALID] Donation Attack

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.