Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of non-zero check, which can lead to unpredictable behaviour in the `VaultControllerStrategy::setMaxDepositSizeBP` function.

0xrolko

Relevant GitHub Links

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/base/VaultControllerStrategy.sol#L686

Summary

possibility of having a maximum deposit equal to zero in the setMaxDepositSizeBP function.

Vulnerability Details

When setting new to the maxDepositSizeBP storage with the VaultControllerStrategy::setMaxDepositSizeBP function, no checks are carried out; which means that this variable will receive any value, including zero. However this state variable represent the max basis point amount of the deposit room in the Chainlink staking contract that can be deposited at once. So this is a maximum value; it would make no sense to set a maximum value to zero:

function setMaxDepositSizeBP(uint256 _maxDepositSizeBP) external onlyOwner {
// @audit lack of non zero check: maximum value must not be zero
if (_maxDepositSizeBP > 10000) revert InvalidBasisPoints();
maxDepositSizeBP = _maxDepositSizeBP;
emit SetMaxDepositSizeBP(_maxDepositSizeBP);
}

Impact

Unexpected Behavior leading to potential errors, attacks or state inconsistencies.

Tools Used

Manual review.

Recommendations

function setMaxDepositSizeBP(uint256 _maxDepositSizeBP) external onlyOwner {
+ require(_maxDepositSizeBP != 0, "Max can't be zero!");
if (_maxDepositSizeBP > 10000) revert InvalidBasisPoints();
maxDepositSizeBP = _maxDepositSizeBP;
emit SetMaxDepositSizeBP(_maxDepositSizeBP);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.