Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The unused tokens deposit limit can be bypassed

takarez

Summary

The setUnusedDepositLimit function allows the owner to set a limit on how many unused tokens can remain in the pool outside of a strategy.

Vulnerability Details

The setUnusedDepositLimit function allows the owner to set a limit on how many unused tokens can remain in the pool outside of a strategy.

function setUnusedDepositLimit(uint256 _unusedDepositLimit) external onlyOwner {
unusedDepositLimit = _unusedDepositLimit;
}

After setting this, it means that no additional tokens beyond the specified limit can remain in the pool. However, the issue is that this limit can be easily bypassed by transferring assets directly to the pool or by using the donateTokens function.

function donateTokens(uint256 _amount) external {
token.safeTransferFrom(msg.sender, address(this), _amount);
totalStaked += _amount;
emit DonateTokens(msg.sender, _amount);
}

This means that the function is ineffective and essentially useless.

Impact

The limit can be bypassed, essentially making it useless

Tools Used

Manual review

Recommendations

This can be mitigated by ensuring the donate function takes into account the deposit limit, and by avoiding the use of token.balanceOf Instead, a variable should be used to track the unused assets whenever they are deposited.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.