Liquid Staking

Summary

There's a bug in the performUpkeep function that incorrectly handles negative rewards. When the contract's balance is less than principalDeposits, resulting in a negative newRewards value, the code subtracts the absolute value of newRewards from principalDeposits.

Vulnerability Details

This bug occurs when the contract's balance is less than principalDeposits, resulting in a negative newRewards value.

In the vulnerable code block:

When newRewards is negative, the code subtracts the absolute value of newRewards from principalDeposits. However, this operation effectively increases principalDeposits instead of decreasing it.

For example, let's say principalDeposits is 100 and newRewards is -20, the code will subtract -20 from 100, resulting in principalDeposits becoming 120. This is the opposite of the intended behavior when there are negative rewards.

Proof

1. Call the deposit function to deposit tokens, increasing principalDeposits.

2. Simulate a scenario where the contract's balance becomes less than principalDeposits. This can happen if tokens are transferred out of the contract without updating principalDeposits.

3. Call the performUpkeep function.

4. Observe that principalDeposits increases instead of decreasing, which is incorrect.

Impact

Users may not be able to withdraw their full principal if principalDeposits is inflated.

• The contract may distribute rewards incorrectly because the rewards calculation relies on the difference between the contract's balance and principalDeposits.

Tools Used

Vs Code

Recommendations

The code should add the absolute value of newRewards to principalDeposits when newRewards is negative, instead of subtracting it, adding the absolute value of newRewards to principalDeposits, it ensures that principalDeposits decreases correctly when there are negative rewards, mitigating the impact on users and maintaining the correct accounting of principal deposits.