Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

StakingRewardsPool::getStakeByShares() returns the input amount instead of zero or reverting when total stake is zero.

0xbanku

Summary

StakingRewardsPool::getStakeByShares() returns the input amount instead of zero or reverting when total stake is zero.

Vulnerability Details

Users might mistakenly believe they are entitled to the entire _amount of LST when, in fact, there are no shares to back that claim. This could create confusion about their stake in the system.

Impact

Since contract StakingRewardsPool is a parent contract of StakingPool contract, stakers/users might mistakenly believe they are entitled to the entire _amount of LST when, in fact, there are no shares to back that claim. This could create confusion about their stake in the system.

Tools Used

Manual Review

Recommendations

It would be more safer to either return 0 or revert the function call to avoid misleading users and potentially introducing economic vulnerabilities in the contract.
Here's an improved version of the function:

function getStakeByShares(uint256 _amount) public view returns (uint256) {
if (totalShares == 0) {
revert NoSharesIssued("No shares issued yet"); // or possibly return 0
} else {
return (_amount * _totalStaked()) / totalShares;}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.