Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: medium
Invalid

Arbitrary staking/deposit on a arbitrary token with an arbitrary amount has no checks to ensure token amount isn't type(uint256).max thus allowing wrong stake amount for certain tokens with custom logic such as cUSDCv3

Summary

Certain tokens such as cUSDCv3 have transfer logic where when a transfer takes place their transfer functionality checks if the 'amount' to be transferred is type(uint256).max, if this is the case the balance of the sender is transferred. So if a user has a dust amount cUSDCv3 attempts to stake/deposit amount 'type(uint256).max' in this protocol, the actual transfer amount will be procesed as the user's total balance of that token, not type(uint256).max. Thus the staking function will register/queue the stake as type(uint256).max but in actuality only cUSDCv3.balanceOf(msg.sender) will have been transferred.

Vulnerability Details

function deposit(uint256 _amount) external override onlyVaultController {
trackedTotalDeposits += SafeCast.toUint128(_amount);
token.safeTransferFrom(msg.sender, address(this), _amount);
IERC677(address(token)).transferAndCall(address(stakeController), _amount, "");
}

Impact

Tools Used

Recommendations

This can cause serious discrepancies with the protocol's intended logic. To remedy this, there can be a check to prevent users from passing type(uint256).max as the stake/deposit amount.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.