Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

StakingRewardsPool does not use IStakingRewardsPool to set minimum contract requirements

k3ysk1lls

Summary

StakingRewardsPool does not use IStakingRewardsPool to set minimum requirements for the contract.

Vulnerability Details

Since StakingRewardsPool does not inherit the list of function definitions from IStakingRewardsPool, there are two separate interfaces for the StakingRewardsPool contract. One is "StakingRewardsPool.sol" itself and the other is "IStakingRewardsPool.sol". This may cause the following problems:

when changing one of the interfaces, remember to change the other one
any error or discrepancy between interfaces may disrupt interaction with the deployed StakingRewardsPool contract

Impact

The PriorityPool contract uses IStakingRewardsPool to interact with StakingRewardsPool. Any difference between these two interfaces can cause communication problems between contracts. It is known that there are the following discrepancies:

StakingRewardsPool: function sharesOf(address _account) public view returns (uint256) vs IStakingRewardsPool: function sharesOf(address _account) external view returns (uint256)
StakingRewardsPool: function getSharesByStake(uint256 _amount) public view returns (uint256) vs IStakingRewardsPool: function getSharesByStake(uint256 _amount) external view returns (uint256)
StakingRewardsPool: function getStakeByShares(uint256 _amount) public view returns (uint256) vs IStakingRewardsPool: function getStakeByShares(uint256 _amount) external view returns (uint256)
StakingRewardsPool: uint256 public totalShares vs IStakingRewardsPool: function totalShares() external view returns (uint256)
StakingRewardsPool: function totalSupply() public view returns (uint256) vs IStakingRewardsPool: function totalSupply() external view returns (uint256)

These are minor differences public vs external visibility, but it can change in the future if not properly managed.

Tools Used

Manual review.

Recommendations

Leaving it this way will only make the problem worse in the future. Make sure StakingRewardsPool is IStakingRewardsPool and correct any discrepancies according to the list above.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.