Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Negative `totalRewards` in `_updateStrategyRewards` Can Decrease `totalStaked` Balance

aariiif

Summary

The _updateStrategyRewards function allows totalStaked to decrease when totalRewards is negative. This can lead to incorrect accounting of the total staked amount and potentially compromise the pool's functionality and user trust.

The vulnerability occurs because the code directly adds totalRewards to totalStaked without considering the case when totalRewards is negative and its absolute value exceeds totalStaked. As a result, totalStaked can become negative, violating the expected behavior.

Vulnerability Details

In the logic that updates the totalStaked variable: https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L550-L553

// update totalStaked if there was a net change in deposits

if (totalRewards != 0) {

totalStaked = uint256(int256(totalStaked) + totalRewards);

}

When totalRewards is negative, indicating a net loss in the strategies, the totalStaked variable is decreased by the absolute value of totalRewards. This can lead to a situation where totalStaked becomes less than its previous value, violating the expected behavior that totalStaked should not decrease after updating strategy rewards.

If totalRewards is negative and its absolute value is greater than totalStaked, the totalStaked variable will become negative, resulting in incorrect accounting of the total staked amount in the pool.

Consider the following scenario

The StakingPool contract is deployed and initialized with the necessary parameters.
A strategy is added to the pool using the addStrategy function.
A significant amount of tokens is deposited into the pool using the deposit function.
The strategy incurs a net loss greater than the total staked amount. This can be simulated by manipulating the return values of the strategy's updateDeposits function to return a large negative value for depositChange.
The updateStrategyRewards function is called with the appropriate strategyIdxs and data to trigger the reward distribution.
After the updateStrategyRewards call, the value of totalStaked becomes negative, demonstrating the vulnerability.

Impact

Incorrect accounting of the total staked amount in the pool.

Tools Used

Manual Review

Recommendations

Modify the _updateStrategyRewards function to handle negative totalRewards correctly.

if (totalRewards != 0) {

- totalStaked = uint256(int256(totalStaked) + totalRewards);

+ if (totalRewards < 0 && uint256(-totalRewards) > totalStaked) {

+ totalStaked = 0;

+ } else {

+ totalStaked = uint256(int256(totalStaked) + totalRewards);

+ }

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.