Liquid Staking

Summary

This report identifies a reentrancy vulnerability within the VaultControllerStrategy.sol::updateDeposits` function, which interacts with the LINK token. The function allows for transferring LINK tokens to a staking pool, which can potentially lead to reentrancy attacks due to the way the ERC-677 LINK token operates.

Vulnerability Details

Reentrancy vulnerability occurs because LINK token, being an ERC-677 token, triggers a callback function on the receiver's contract when a transfer is made. Specifically, this is executed in the line:

Impact

1. The attacker controls the stakingPool or exploits a vulnerable version of it.

2. The updateDeposits function is called, and it transfers LINK tokens using safeTransfer().

3. During the transfer, the stakingPool’s onTokenTransfer callback is executed.

4. Inside the callback, the attacker calls updateDeposits() again before the initial call completes.

5. This results in inconsistent accounting or fund mismanagement in totalDeposits.

The reentrancy issue can be exploited to:

1. Manipulate deposit balances

2. Cause inconsistent accounting.

Tools Used

Manual Review

Recommendations

Use Checks-Effects-Interactions Pattern: Ensure that state updates are done before external calls. Move the update to totalDeposits above the safeTransfer() call.