Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Fee Calculation Error in updateDeposits Function

8olidity

Summary

Fee Calculation Error in updateDeposits Function

Vulnerability Details

A critical logical error has been identified in the updateDeposits function of the OperatorVCS contract, leading to double counting of fees and consequently affecting the accuracy of total deposits.

The issue occurs in the following code segment:

if (balance != 0) {
token.safeTransfer(address(stakingPool), balance);
newTotalDeposits -= balance;
}

Here, balance represents the fees to be paid, which have already been accounted for in the previous depositChange calculation. Subtracting balance from newTotalDeposits again results in double counting.

uint256 balance = token.balanceOf(address(this));
depositChange = int256(vaultDeposits + balance) - int256(totalDeposits);

Impact

This error causes an incorrect reduction in the total deposit amount, which in turn affects future fee calculations and reward distributions. In the long term, this could lead to an imbalance in the contract's economic model.

Tools Used

vscode

Recommendations

Remove the line newTotalDeposits -= balance;. Additionally, ensure that fees are correctly accounted for when calculating newTotalDeposits. Consider introducing a separate variable to track accumulated fees.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.