Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Insufficient Data Validation in Strategy Deposit Function

juggernaut63

Summary

The _depositLiquidity function in the StakingPool contract lacks sufficient validation for the _data parameter, which can lead to unintended behavior or potential exploits. This vulnerability arises because the function does not verify that the length of _data matches the number of strategies, potentially causing incorrect data to be passed to strategies.

Vulnerability Details

The function _depositLiquidity currently only checks if toDeposit is greater than zero, without validating the length of _data.

function _depositLiquidity(bytes[] calldata _data) private {
uint256 toDeposit = token.balanceOf(address(this));
@=> if (toDeposit > 0) {
for (uint256 i = 0; i < strategies.length; i++) {
IStrategy strategy = IStrategy(strategies[i]);
uint256 strategyCanDeposit = strategy.canDeposit();
if (strategyCanDeposit >= toDeposit) {
strategy.deposit(toDeposit, _data[i]);
break;
} else if (strategyCanDeposit > 0) {
strategy.deposit(strategyCanDeposit, _data[i]);
toDeposit -= strategyCanDeposit;
}
}
}

Scenario:

  1. An attacker calls a function that triggers the _depositLiquidity function with a _data array that has fewer elements than the number of strategies.

  2. The function iterates over the strategies and attempts to pass data from the _data array to each strategy.

  3. Due to the mismatch in the length of _data and the number of strategies, some strategies may receive incorrect or no data, leading to potential errors or unintended behavior.

Impact

Strategies receive incorrect data, leading to operational failures or unexpected behavior.

Tools Used

Manual review

Recommendations

add a validation check to ensure that the length of _data matches the number of strategies before proceeding with the deposit logic.

function _depositLiquidity(bytes[] calldata _data) private {
uint256 toDeposit = token.balanceOf(address(this));
- if (toDeposit > 0) {
+ if (toDeposit > 0 && _data.length == strategies.length) {
for (uint256 i = 0; i < strategies.length; i++) {
IStrategy strategy = IStrategy(strategies[i]);
uint256 strategyCanDeposit = strategy.canDeposit();
if (strategyCanDeposit >= toDeposit) {
strategy.deposit(toDeposit, _data[i]);
break;
} else if (strategyCanDeposit > 0) {
strategy.deposit(strategyCanDeposit, _data[i]);
toDeposit -= strategyCanDeposit;
}
}
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.