Liquid Staking

Github

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/OperatorStakingPool.sol#L163-L184

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/OperatorStakingPool.sol#L199-L205

Summary

The removeOperators function in the OperatorStakingPool contract fails to actually transfer staked tokens back to operators when they are removed, despite updating internal accounting. This can lead to tokens being trapped in the contract and a mismatch between recorded and actual balances.

Vulnerability details

When an operator is removed via the removeOperators function, it calls the _withdraw function to handle any staked tokens:

However, the _withdraw function only updates internal accounting without transferring tokens:

This function updates share balances and emits a Withdraw event, but doesn't actually transfer any tokens to the operator.

Impact

1. Trapped Funds: Staked tokens remain in the contract after an operator is removed, potentially becoming inaccessible.

2. Accounting Discrepancy: The contract's internal accounting no longer matches its actual token balance.

3. Misleading Events: Withdraw events are emitted without corresponding token transfers.

4. Trust Issues: Operators may lose trust in the system if they can't retrieve their staked tokens upon removal.

The severity is high due to the potential for permanent loss of user funds and the fundamental misalignment between the contract's stated behavior and its actual operation.

What causes the issue and where?

The issue is caused by an incomplete implementation of the _withdraw function in the OperatorStakingPool contract. While it updates internal accounting, it fails to include the crucial step of transferring tokens back to the operator.

Proof of concept

1. Admin adds an operator via addOperators.

2. Operator stakes 100 LST tokens.

3. Admin removes the operator via removeOperators.

4. The operator's internal balance is set to 0, and a Withdraw event is emitted.

5. However, the 100 LST tokens remain in the OperatorStakingPool contract.

6. The operator has no way to retrieve their staked tokens.

Recommendations

Make sure there is a code which transfer the operator funds, here is two suggestions I have:

• Modify the _withdraw function to include an actual token transfer:

• Add a separate function for operators to claim any remaining balance after removal, in case the automatic withdrawal fails:

By implementing these recommendations, the contract will ensure that operators can always retrieve their staked tokens, maintaining the integrity and trustworthiness of the staking system.