Liquid Staking

Summary

canWithdraw function in PriorityPool contract has a vulnerability that allows an account to withdraw more tokens than it should be allowed to. The function incorrectly includes the totalQueued value in the calculation of the withdrawable staked tokens, inflating the total withdrawable amount.

Vulnerability Details

The canWithdraw function incorrectly calculates the total amount of tokens an account can withdraw. The function includes the totalQueued value in the calculation of stLINKCanWithdraw, which represents the amount of staked tokens the account can withdraw. This inclusion inflates the withdrawable amount, potentially allowing an account to withdraw more tokens than it should be allowed to.

PriotityPool.sol# https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/priorityPool/PriorityPool.sol#L215-L223

In the calculation of stLINKCanWithdraw on lines 218-221. Specifically, the inclusion of totalQueued in the calculation stakingPool.canWithdraw() + totalQueued - canUnqueue is incorrect and leads to the inflation of the withdrawable amount.

The addition of totalQueued to stakingPool.canWithdraw() incorrectly increases the withdrawable amount. This can lead to a situation where the total withdrawable amount (canUnqueue + stLINKCanWithdraw) exceeds the total queued tokens in the pool (totalQueued).

1. The canWithdraw function is intended to return the total amount of tokens an account can withdraw, considering both the account's queued tokens and staked token balance.

2. The function first calculates canUnqueue, which represents the amount of queued tokens the account can unqueue. It takes the minimum of the account's queued tokens (getQueuedTokens(_account, _distributionAmount)) and the total queued tokens in the pool (totalQueued).

3. Next, it calculates stLINKCanWithdraw, which represents the amount of staked tokens the account can withdraw. It takes the minimum of the account's staked token balance (stakingPool.balanceOf(_account)) and the sum of the staking pool's withdrawable tokens (stakingPool.canWithdraw()), the total queued tokens (totalQueued), and subtracts the canUnqueue amount.

4. The bug occurs because totalQueued is added to stakingPool.canWithdraw() in the calculation of stLINKCanWithdraw. This addition incorrectly inflates the withdrawable amount, allowing an account to potentially withdraw more tokens than it should be allowed to.

5. Finally, the function returns the sum of canUnqueue and stLINKCanWithdraw, which can exceed the total queued tokens in the pool due to the incorrect inclusion of totalQueued in the stLINKCanWithdraw calculation.

Impact

1. Users may be able to withdraw more tokens than they are entitled to, leading to an unfair distribution of tokens.

2. The pool's token balance may be drained, affecting the overall liquidity and functionality of the PriorityPool contract.

3. The incorrect calculation of withdrawable amounts can disrupt the intended behavior of the contract and undermine user trust in the system.

Tools Used

Vs Code

Recommendations

Remove the totalQueued value from the calculation of stLINKCanWithdraw.