Summary

a vault can be deposited into by sending the tokens directly into the vaultControllerStrategy, this would ensure that the stakingPool::totalStaked is not increased but would lead to the tokens being lost forever to who ever sent it, a malicious operator could make use of this to inflate the lslink price

Vulnerability Details

suppose there are two vaults A and B where B is malicious, A currenly contains 7000 link deposited via stakingPool so the totalStaked is 7000 link, Operator B sends funds directly to the vcs to fill his own vault with 7100 link

behaves maliciously on chainlink several times and has all his stake slashed, at this point the deposit change is 7000 - 14100 = -7100

then makes a call to updateVaultGroups
https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L551-L553
this line of code will hit which would make totalStaked = uint(-100) causing an underflow

thereby inflating the price

Impact

Users will lose their funds as early claimers will claim at this inflated price

Tools Used
manual analysis