Liquid Staking

Summary

The StakingPool contract has several critical state variables that are not properly initialized in the contract's initializer function. This lack of initialization can lead to various issues, including denial of service (DoS) attacks, inefficient operation of the staking logic, and potential security vulnerabilities due to improper access control checks. The identified variables include the strategies array, unusedDepositLimit, priorityPool, and rebaseController.

Vulnerability Details

The strategies array is meant to hold a list of strategies that the staking pool uses to distribute tokens for yield generation. However, this array is not initialized in the contract's initializer function. During the deposit operation, the function contains a check that requires the strategies array to contain at least one strategy (require(strategies.length > 0, "Must be > 0 strategies to stake");). If no strategy is added after deployment, the deposit function will revert, preventing users from staking their tokens. Suppose a user tries to deposit tokens into the staking pool immediately after deployment, before any strategies are added. In this case, the transaction will fail because the strategies array is empty, resulting in a Denial of Service (DoS) situation for all users.

The priorityPool address is a critical component in the contract's access control mechanism. Several functions use the onlyPriorityPool modifier to restrict access to authorized operations. Since this address is not initialized during contract deployment, any function protected by the onlyPriorityPool modifier may revert when called, effectively disabling those functions until the address is set. If a function like deposit or withdraw requires interaction with the priority pool and the priority pool address is not set, the function will fail, causing a DoS attack for operations involving staking or withdrawals.

The rebaseController is responsible for managing updates to the staking pool's rewards. Without properly setting the rebaseController, any access control logic that relies on this variable may either inadvertently reject legitimate transactions or allow unauthorized access, creating potential security risks. If the rebaseController address is not properly set, unauthorized entities may attempt to call sensitive functions like updateStrategyRewards, potentially leading to incorrect reward distribution or security vulnerabilities.

Impact

Uninitialized variables can cause reverts in critical functions, preventing users from staking, withdrawing, or interacting with the pool as intended. Without strategies set, the pool will fail to deploy liquidity effectively, meaning that tokens will sit idle without generating yield, which reduces the pool's efficiency. Failure to properly initialize access control addresses (priorityPool and rebaseController) can lead to improper access checks, potentially allowing unauthorized parties to interact with restricted functions.

Tools Used

Manual Review

Recommendations

Initialize these variables in the initializer function to avoid these issues.