Liquid Staking

Summary

Deposits in an empty priority pool may get lost if directed to the withdrawal pool as it sends the equivalent amount in LSTokens back to the priority pool where it gets stuck.

Vulnerability Details

When calling the deposit() function on the priority pool

It calls the internal function _deposit()

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/priorityPool/PriorityPool.sol#L601C5-L647C6

There is a scenario where there are no tokens in the queue (i.e. the p.p is empty), it checks the withdrawal pool to see if any withdrawals are waiting, if so, it starts by fulfilling them as much as possible.

The Issue begins at this point:

When depositing the required amount into the withdrawalPool, it sends the same amount received in liquid staking tokens to the sender, which is the priorityPool.

The problem is that the Priority Pool has no functionality to deal with liquid staking tokens. Therefore, those tokens will get stuck forever.

Impact

Loss of funds in case of directing the priority pool deposits to fulfill withdrawals in the withdrawal pool.

Tools Used

Manual review

Recommendations

In WithdrawalPool.sol: deposit()

change:

lst.safeTransfer(msg.sender, _amount);

into:

lst.safeTransfer(stakingPool, _amount);

Then add this amount to the account shares ( the details will be in another finding )