getMaxDeposits() Function Incorrectly Handles Zero Merkle Root from stakeController.
Summary
The getMaxDeposits() function is responsible for determiningthe maximum amount of tokens this strategy can hold. However, the current logic returns maxDeposit when the Merkle root when its is 0, instead of returning 0 when the merkle root of stakecontorller is 0
Vulnerability Details
Here’s the detailed vulnerability explanation:
The getMaxDeposits() function is designed to determine the maximum number of tokens that can be deposited into the strategy. It relies on the Merkle root from the stakeController contract to decide whether deposits are allowed. The function checks the Merkle root to ensure staking is correctly set up before allowing deposits.
The issue lies in the following code:
In this implementation, the function returns super.getMaxDeposits() (the maximum allowable deposits) when the Merkle root from the stakeController is 0. However, according to the intended logic, if the Merkle root is 0 (i.e., not set or invalid), the function should return 0.
Impact
It can disrupt the normal operation of the strategy and create user experience problems when interacting with the staking mechanism.
Tool Used
manual review
Recommendations
The logic should be modified so that when the getMerkleRoot() from stakeController returns bytes32(0), the function returns 0 .
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.