Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Calculation of `accountClaimed` and `accountSharesClaimed` in `PriorityPool::claimLSDTokens`

Gladiators

Summary

The accountClaimed and accountSharesClaimed mappings are incorrectly updated in the PriorityPool::claimLSDTokens function. These mappings are supposed to store the total value of an account's claimed tokens, but instead of accumulating the claimed tokens, they are storing only the most recent claimed token amount.

Vulnerability Details

The accountClaimed and accountSharesClaimed mappings are meant to store the cumulative claimed tokens of a particular account. However, instead of adding all previously claimed amounts, they are incorrectly updated with only the last claimed amount.

uint256 amountToClaim = _amount - accountClaimed[account];
uint256 sharesAmountToClaim = _sharesAmount - accountSharesClaimed[account];
uint256 amountToClaimWithYield = stakingPool.getStakeByShares(sharesAmountToClaim);
if (amountToClaimWithYield == 0) revert NothingToClaim();
@>> accountClaimed[account] = _amount;
@>> accountSharesClaimed[account] = _sharesAmount;
IERC20Upgradeable(address(stakingPool)).safeTransfer(account, amountToClaimWithYield);

Impact

Incorrect calculation of claimed tokens amounts of a particular account.

Recommendations

update them as mentioned below :

accountClaimed[account] += _amount;
accountSharesClaimed[account] += _sharesAmount;
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.