Liquid Staking

Summary

The deposit function is intended to accept a user's full deposit and mint the corresponding share tokens based on the total amount deposited. However, there is a bug in the logic that causes share tokens to be minted only for the amount that remains after a portion of the deposit is allocated to the withdrawal pool.

The share tokens are incorrectly minted based on the remaining amount deposited into the staking pool rather than the full deposit amount. This results in users not receiving the correct amount of share tokens for their total deposit.

Vulnerability Details

Exploit Scenario:

1. A user calls the deposit function to deposit a total of 100 LINK.

2. The system first checks if there are any queued withdrawals. If there are, it deposits the required amount into the withdrawal pool (e.g., 70 LINK) and reduces the amount left for the staking pool to 30 LINK.

3. Share tokens are only minted based on the 30 LINK deposited into the staking pool, not the full 100 LINK initially deposited.

4. As a result, the user receives share tokens that do not accurately reflect their contribution, undermining the intended mechanics of the protocol.

Impact

Loss of Investment Value: The perceived value of a user's investment diminishes as they hold fewer tokens than expected, leading to potential financial losses, especially if they intend to utilize these tokens for staking or governance decisions.

Tools Used

Manual review

Recommendations

Modify the _deposit Function: Revise the logic in the _deposit function to ensure that share tokens are minted based on the total deposit amount, rather than the amount remaining after withdrawal pool allocation. This ensures that the minting accurately reflects the user’s entire contribution.