Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

PriorityPool Contract Queued Deposits Handling Vulnerability

newspacexyz

Summary

A vulnerability exists in the PriorityPool smart contract where queued tokens deposited into the staking pool are not properly synchronized with user balances. When tokens are queued for deposit, the contract updates both the global totalQueued variable and each user’s accountQueuedTokens. However, when these tokens are later deposited into the staking pool, only totalQueued is reduced, while accountQueuedTokens[_account] remains unchanged. This results in users being unable to retrieve or correctly claim their tokens, leading to potentially locked funds.

Vulnerability Details

Description

The vulnerability occurs during the process of depositing queued tokens into the staking pool. When users deposit tokens and queue them (via the _deposit function), the contract increases the global totalQueued variable and the user's accountQueuedTokens[_account] to track the queued tokens.
In the _depositQueuedTokens function, when the queued tokens are actually deposited into the staking pool, the contract reduces totalQueued to reflect the tokens leaving the queue, but fails to reduce the corresponding accountQueuedTokens[_account]. This leads to a mismatch between the total queued tokens and the user-specific balance, leaving users with stale, inflated balances.
This failure to update accountQueuedTokens[_account] results in user funds being incorrectly locked in the system and prevents users from withdrawing or accessing their full balances.

Code Snippet

In the _deposit function:

accountQueuedTokens[_account] += toDeposit;
totalQueued += toDeposit;
In the _depositQueuedTokens function:

_totalQueued -= toDepositFromQueue; // Updates totalQueued
// Missing update to accountQueuedTokens[_account], Must process queue.

Impact

Locked User Funds: Users may be unable to withdraw or access their tokens once they are queued, as the contract incorrectly tracks their balances, leading to permanently locked funds.
Incorrect Balance Reporting: The contract will report incorrect values for accountQueuedTokens[_account], causing accounting errors that may affect future deposits or withdrawals.
Systemic Accounting Mismatch: The desynchronization between totalQueued and accountQueuedTokens[_account] could lead to larger system-wide inconsistencies, potentially affecting other contract operations.

(Users can't unqueue tokens via unqueueTokens function because queued tokens are already deposited.

** Very Critical**)

Tools Used

Recommendations

Update User Balances: Ensure that the accountQueuedTokens[_account] is reduced in sync with totalQueued after the tokens are deposited into the staking pool. For example:

accountQueuedTokens[_account] -= toDepositFromQueue;

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.