Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Operator can't withdraw tokens in OperatorStakingPool

danzero

Summary

Operator don't receive tokens from withdrawfunction in OperatorStakingPool due to missing token transfer logic in the _withdrawfunction which could trap all tokens sent to the contract and cause loss of tokens for operators.

Vulnerability Details

The _withdrawfunction in OperatorStakingPool.sol only decrease the total shares and share balances of the operator that tries to withdraw. But there's no logic to transfer the token to the operator, as seen below:

function _withdraw(address _operator, uint256 _amount) private {
uint256 sharesAmount = lst.getSharesByStake(_amount);
shareBalances[_operator] -= sharesAmount;
totalShares -= sharesAmount;
emit Withdraw(_operator, _amount, sharesAmount);
}

Note that the _withdrawfunction is also used in the removeOperators function, so removed operators completely lost their tokens as they can't call the withdrawfunction anymore.

Impact

  • Every token that is deposited into OperatorStakingPool contract will be trapped.

  • Operator can't withdraw their tokens.

  • Removed operators lost their tokens.

Tools Used

Manual Review

Recommendations

Implement a transfer token logic using transferAndCall function of the ERC677 to the operator caling the withdrawfunction:

function _withdraw(address _operator, uint256 _amount) private {
uint256 sharesAmount = lst.getSharesByStake(_amount);
shareBalances[_operator] -= sharesAmount;
totalShares -= sharesAmount;
lst.transferAndCall(_operator,_amount,"");
emit Withdraw(_operator, _amount, sharesAmount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`OperatorStakingPool::_withdraw()` function doesn't transfer the tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.