The min and max deposit variabe value in `PriorityPool::depositQueuedTokens()` does not validate that both values are the actual min and max deposit value.
Description
The internal function PriorityPool::_depositQueuedTokens() is responsible for depositing queued and/or unused tokens. Also, from the docs, the _queueDepositMin and _queueDepositMax parameters in the function is expected to be the min and max required for staking pool strategies respectively. This min and max value was also initialized in the contract's initiaizer. The issue here is that the internal function does not validate that both variables are actually the min and max as expected and PriorityPool::depositQueuedTokens() which is an external function that can be called by anyone which uses it does not validate this too, as compared to PriorityPool::performUpkeep() which is the other function that uses the interna function but ensures that the min and max value are the expected min and max value of the protocol.
_queueDepositMin and _queueDepositMax in PriorityPool::depositQueuedTokens() could be set to any arbitrary value not in line with protocols policy.
Impact
Violate protocols policies on min and max deposits of queued tokens into staking pool/ bypass important checks in PriorityPool::_depositQueuedTokens()
Tool used
Manual Review
Recommendation
A requirement check that enforces that the min and max value in the function is same as queueDepositMin and queueDepositMax global variabe.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.