Liquid Staking

Summary

The _depositToVaults function in the VaultDepositController contract includes checks involving _vaultIds, globalState.groupDepositIndex, and globalState.depositIndex. When these two indices are equal, specifically in their default state where both are set to 0, the function fails to process deposits and reverts due to unmet conditions. This behavior can result in an unintended denial of service expecially during initial deposits. No other function edits their states.

Vulnerability Details

The issue arises from two conditions in the _depositToVaults function:

1. if (_vaultIds.length != 0 && _vaultIds[0] != globalState.groupDepositIndex) revert InvalidVaultIds();

2. if (vaultIndex >= globalState.depositIndex) revert InvalidVaultIds();

If globalState.groupDepositIndex and globalState.depositIndex both hold the default value 0, these checks can cause the function to revert:

• _vaultIds[0] != globalState.groupDepositIndex fails if _vaultIds[0] is 0, as it matches the globalState.groupDepositIndex.

• The second condition reverts when vaultIndex (extracted from _vaultIds) is equal to globalState.depositIndex, both being 0.

• This situation makes it impossible to process deposits when the indices are in their initial state, leading to an unnecessary reversion.

Impact

The default state of the contract, where both globalState.groupDepositIndex and globalState.depositIndex are 0, causes the _depositToVaults function to revert. This prevents any initial deposits from being processed, potentially blocking the functionality of the contract for users when it is first deployed. This issue could lead to a denial of service scenario until the contract state is adjusted.

Tools Used

Manual code review of the VaultDepositController contract.

Recommendations

Handle Default Case Separately: Add a special condition for when globalState.groupDepositIndex and globalState.depositIndex are both 0, allowing initial deposits without triggering reversion.