Summary

_depositLiquidity did not process excess assets

Vulnerability Details

In the _depositLiquidity function of the StakingPool.sol contract, there is a logic flaw that may cause users' assets to be locked in the contract and unable to generate yield. This issue arises when the contract attempts to deposit assets into multiple strategies, and the total amount to be deposited exceeds the available deposit room across all strategies.

When a user calls the deposit function with a specified _amount, the contract attempts to deposit these assets into various strategies. The _depositLiquidity function iterates through all strategies and determines how much to deposit based on each strategy's canDeposit return value.

If a strategy's canDeposit is less than _amount, the contract deposits the maximum amount that the strategy can accept and reduces toDeposit by the amount deposited. The contract then continues to the next strategy.

Example Scenario

1. Scenario Setup: Assume there are two strategies, Strategy A and Strategy B.

• Strategy A's canDeposit returns 1000.

• Strategy B's canDeposit returns 500.

2. The user calls the deposit function with _amount set to 1500.

• The contract deposits 1000 into Strategy A.

• The contract deposits 500 into Strategy B.

• The remaining toDeposit is 0.
  The total amount to be deposited (1500) exceeds the combined canDeposit of both strategies (1500).
  The remaining assets (if any) are locked in the contract and cannot be deposited into any strategy.

Impact

If a user's _amount exceeds the total canDeposit of all strategies, the remaining assets will be locked in the contract and cannot be deposited into any strategy. This may prevent the user's assets from generating yield and negatively impact the liquidity of the contract.

Tools Used

vscode

Recommendations

To prevent this issue, consider adding a check to ensure that toDeposit is 0 after iterating through all strategies. If toDeposit is greater than 0, return the assets to the user or take other appropriate actions.