Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Inaccurate Reward and Fee Distribution Due to Sudden Strategy Changes

juggernaut63

Summary

The updateStrategyRewards function in the StakingPool contract may inaccurately calculate and distribute rewards and fees when there are abrupt changes in strategy deposits or fee structures. This can lead to incorrect accounting and potential financial discrepancies.

Vulnerability Details

The vulnerability arises from the reliance on dynamic data from strategies without sufficient validation or safeguards against sudden changes. The issue is primarily located in the _updateStrategyRewards function, where it aggregates rewards and fees from multiple strategies.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L530-L538

for (uint256 i = 0; i < _strategyIdxs.length; ++i) {

IStrategy strategy = IStrategy(strategies[_strategyIdxs[i]]);

(

int256 depositChange,

address[] memory strategyReceivers,

uint256[] memory strategyFeeAmounts

) = strategy.updateDeposits(_data);

totalRewards += depositChange;

Scenario:

A strategy experiences a significant change in deposit value due to market volatility or operational adjustments.
The updateStrategyRewards function is called, and the sudden change is not adequately accounted for, leading to incorrect calculations of rewards and fees.
The function distributes rewards and fees based on these inaccurate calculations, resulting in some stakeholders receiving more or less than they are entitled to.

Impact

Stakeholders may receive incorrect amounts of rewards or fees, leading to potential financial losses or gains.

Tools Used

Manual review

Recommendations

Implement checks to validate the integrity of data received from strategies before using it in calculations.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.