Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Users can deposit 1 cent of a token into the PriorityPool and submit an invalid WithdrawalBatch to the withdrawalBatches

eason

Summary

Anyone can invoke the deposit() function in PriorityPool.sol, where any _amount greater than 0 is permitted for depositing. Subsequently, when totalQueued equals 0 and queuedWithdrawals are not 0, users can call withdrawalPool.deposit(toDepositIntoQueue) to submit an invalid WithdrawalBatch into withdrawalBatches.

Vulnerability Details

When the function _finalizeWithdrawals(_amount) is called in WithdrawalPool.sol without a minimum deposits check, depositing one cent of a token can result in uint256 sharesToWithdraw = _getSharesByStake(_amount) returning 0. This occurs because queuedWithdrawals[0].sharesRemaining is 0, leading to the addition of WithdrawalBatch(uint128(0), uint128(_getStakeByShares(1 ether))) into withdrawalBatches.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/priorityPool/PriorityPool.sol#L255

Impact

  • wrongly calculated withdrawalBatches

PoC

it('got invalid withdrawalBatches', async () => {
const { signers, accounts, withdrawalPool } = await loadFixture(deployFixture)
await withdrawalPool.queueWithdrawal(accounts[0], toEther(1000))
await withdrawalPool.queueWithdrawal(accounts[1], toEther(250))
await withdrawalPool.queueWithdrawal(accounts[0], toEther(500))
await withdrawalPool.deposit(1)
})

Tools Used

Manual code review

Recommendations

Add a minimum deposits check to deposit(uint256 _amount, bool _shouldQueue, bytes[] calldata _data) in PriorityPool.sol.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.