Submission Details
Severity:
WithdrawPool:deposit() is broken()
Summary
WithdrawPool:deposit() is broken()
Vulnerability Details
Asset tokens are deposit via priority pool to withdrawPool if there is any queuedWithdrawls, and in return withdrawPool transfers the lst token back to the priority pool.
function _deposit(
address _account,
uint256 _amount,
bool _shouldQueue,
bytes[] memory _data
) internal {
if (poolStatus != PoolStatus.OPEN) revert DepositsDisabled();
uint256 toDeposit = _amount;
if (totalQueued == 0) {
uint256 queuedWithdrawals = withdrawalPool.getTotalQueuedWithdrawals();
if (queuedWithdrawals != 0) {
uint256 toDepositIntoQueue = toDeposit <= queuedWithdrawals
? toDeposit
: queuedWithdrawals;
-> withdrawalPool.deposit(toDepositIntoQueue);
toDeposit -= toDepositIntoQueue;
IERC20Upgradeable(address(stakingPool)).safeTransfer(_account, toDepositIntoQueue);
}
///
}
function deposit(uint256 _amount) external onlyPriorityPool {
token.safeTransferFrom(msg.sender, address(this), _amount);
-> lst.safeTransfer(msg.sender, _amount);
_finalizeWithdrawals(_amount);
}
The issue is, lst is transferred to priority pool without converting to shares amount.
Impact
User will receive wrong amount of lst shares
Tools Used
VS code
Recommendations
First convert the asset token amount to shares then transfer it back to priority pool
Updates
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
2,53020 USDC / LOC
42,000 USDC
4,250 USDC
3,750 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.