Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Accounting of Principal Deposits in LSTRewardsSplitter Contract

0xbrett8571

Summary

principalDeposits is not properly updated if the token transfer in deposit fails. It's happening because principalDeposits is updated after the transfer.

It can be reproduced by calling deposit with an amount exceeding the allowance.

Vulnerability Details

The deposit function in the LSTRewardsSplitter contract incorrectly updates the principalDeposits state variable after the token transfer. If the token transfer fails for any reason (e.g., insufficient allowance or a revert in the lst token contract), the principalDeposits variable will still be incremented, leading to an inconsistency between the actual deposited tokens and the recorded principal deposits.

Steps

The deposit function in LSTRewardsSplitter.sol updates the principalDeposits state variable after the token transfer: https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L68-L72

function deposit(uint256 _amount) external onlyController {

lst.safeTransferFrom(msg.sender, address(this), _amount);

principalDeposits += _amount;

emit Deposit(_amount);

}

If the lst.safeTransferFrom call fails due to insufficient allowance or any other reason, the execution will revert. However, the principalDeposits variable will still be incremented by _amount, even though no tokens were actually deposited.

Consider the following scenario:

The LSTRewardsSplitter contract is deployed with a valid lst token address and an initial principalDeposits value of 0.
A user attempts to deposit 100 tokens by calling the deposit function through the controller, but they have not approved the LSTRewardsSplitter contract to transfer tokens on their behalf.
The lst.safeTransferFrom call fails due to insufficient allowance, causing the transaction to revert.
Despite the failed deposit, the principalDeposits variable is still incremented by 100.
The principalDeposits variable now incorrectly reflects a deposit of 100 tokens, even though no tokens were actually transferred to the contract.

Impact

If users rely on the principalDeposits variable to track their deposited funds and make decisions based on its value, they may incorrectly believe they have more funds in the contract than they actually do. This could lead to incorrect assumptions and potential loss of funds if users attempt to withdraw or manage their deposits based on the inflated principalDeposits value.

Tools Used

Manual Review

Recommendations

Iincrement the principalDeposits variable before the token transfer

function deposit(uint256 _amount) external onlyController {

+ principalDeposits += _amount;

lst.safeTransferFrom(msg.sender, address(this), _amount);

- principalDeposits += _amount;

emit Deposit(_amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.