Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Explicit Minimum Return Check to ensure that a minimum required amount of tokens has been deposited.

ManuelSage321

Summary

In the _depositToVaults function, there is no explicit check at the end of the process to ensure that a minimum required amount of tokens has been deposited. While the function does check that each individual vault meets the _minDeposits threshold, it doesn't ensure that the total amount deposited across all vaults reaches a certain desired or expected minimum.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/base/VaultControllerStrategy.sol#L270

Vulnerability Details

Consider a scenario where the caller expects the function to deposit a certain minimum amount of tokens (_minDeposits) into all specified vaults. While the function loops over vaults and ensures that each vault individually receives at least _minDeposits, it does not enforce check to ensure that the total amount deposited across all vaults meets or exceeds this minimum, without checking we could end up in situations where:

-The total deposited amount is much less than intended, even though each vault meets its individual deposit threshold.

-The toDeposit amount may still contain unallocated tokens, and no feedback is provided to indicate that the total deposit was insufficient, leading to a false sense of successful execution.

Example:

Alice wants to deposit 1000 tokens into several vaults with _minDeposits set to 100 per vault.

The function starts depositing into vaults and finds that each vault can only hold 50 tokens before reaching its maximum deposit limit.
The function successfully deposits 50 tokens into each vault and stops, but the total deposited across all vaults is only 500 tokens, far below the expected 1000 tokens.
Because there’s no check to ensure a minimum total return, the function completes without alerting Alice that the total deposited amount is insufficient.

Impact

Without a proper minimum return check, leftover funds might stay idle in the contract, leading to inefficiencies

Tools Used

manual

Recommendations

Before the function completes, add an explicit check to ensure that the total amount deposited across all vaults is at least _minDeposits .If this condition is not met, the transaction should revert with an appropriate error message.

Updates

Lead Judging Commences

inallhonesty Lead Judge

9 months ago

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.