Liquid Staking

Summary

The smart contract's pauseForUpdate function incorrectly utilizes the onlyDistributionOracle modifier, allowing the distributionOracle address to pause the pool. However, based on the documentation and logic, this should be restricted to the rebaseController address, which has been authorized to control pool pausing. This discrepancy in modifier usage introduces a potential vulnerability, allowing unintended entities to perform pool-pausing operations, contrary to the expected behavior.

Vulnerability Details

The pauseForUpdate() function is using the onlyDistributionOracle modifier, which grants the distributionOracle address the authority to pause the pool. The function comment specifies, "Pauses queueing and unqueueing so a new merkle tree can be generated," which aligns with a critical operational task requiring controlled permissions.

• Issue:
  According to the contract design, the rebaseController should be the entity with the authorization to pause the pool, as indicated by the comments stating:

  • rebaseController is responsible for pausing the pool.

  • distributionOracle is responsible only for handling LST distribution.

  However, in the implementation, the onlyDistributionOracle modifier is applied to the pauseForUpdate() function, allowing the distributionOracle to pause the pool instead of the rebaseController. This is a clear misalignment between the logic and the documentation, as the distributionOracle should not possess the ability to pause the pool.

Code Snippet

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/priorityPool/PriorityPool.sol#L71-L72

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/priorityPool/PriorityPool.sol#L36-L37

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/priorityPool/PriorityPool.sol#L510-L512

Impact

This flaw grants unintended control over critical operations to the distributionOracle, which could lead to potential disruptions, such as pausing the pool at inappropriate times. This undermines the intended control hierarchy, potentially exposing the system to operational risk and governance issues.

Specifically:

1. Misuse of Authority: The distributionOracle could unintentionally or maliciously pause the pool, which should only be managed by the rebaseController.

2. Operational Risk: Unauthorized pool pauses can result in incorrect liquidity handling, delays in LST distribution, and synchronization errors, which can harm the system’s reputation and functionality.

Tools Used

Manual Review

Recommendations

Replace the onlyDistributionOracle modifier in the pauseForUpdate() function with the onlyRebaseController modifier to ensure that only the rebaseController has the authority to pause the pool.