Liquid Staking

Summary

The `Donate Token` function in the contract can bypass the unused deposit limit, which can lead to longer queues in the priority pool. Donating tokens is treated similarly to depositing tokens but does not mint new `lst` tokens and fails to enforce the unused deposit limit that should be available in the pool. This oversight can result in longer waiting times for queued deposits, disrupting the staking process.

Vulnerability Details

Token Priority in Staking Process

1. Unused Deposit

2. Queued if unused deposits are cleared.

3. New deposits directly if there is no Queue.

The issue arises because the `Donate Token` function allows users to donate tokens directly to the staking pool, but it does not consider the unused deposit limit. According to the contract logic and README documentation, when the deposited amounts MUST NOT exceed the deposit limit, it should revert to maintain the pool's balance and staking process.

However, in the `Donate Token` function, this limit is not enforced. This function is callable by anyone, and tokens donated through this function bypass the normal checks applied during deposits. The tokens donated will count as unused tokens, which are given priority over the queued tokens in the priority pool.

As a result, when donated tokens increase beyond the unused deposit limit, they take precedence over queued tokens in the priority pool. Since there is limited room in the staking strategy, the tokens in the queue may never be deposited.

This creates an unfair prioritization system where queued deposits, which should have priority, are sidelined due to the increasing number of unused tokens donated without consideration for the deposit limit.

Impact

This vulnerability can cause the following issues:

- **Queue Delays**: Users waiting in the priority pool may experience significantly longer wait times, as donated tokens take precedence over queued deposits.

- **Staking Inefficiency**: New deposits intended for staking might not be processed as intended, potentially leading to liquidity issues or missed opportunities for users to stake their tokens.

- **Bypass of Deposit Controls**: Since the `Donate Token` function does not enforce the deposit limits, attackers or regular users can exploit this by flooding the pool with unused tokens, bypassing the regular deposit mechanism and rules.

Tools Used

Manual Review

Recommendations

1. **Enforce Deposit Limit on Donate Function**: Implement a check in the `Donate Token` function to ensure that the total donated tokens do not exceed the unused deposit limit. If the limit is exceeded, the transaction should revert, similar to how regular deposits are handled.