Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

claimLSDTokens will not work for a second time if there is another batch of rewards to be claimed

peanuts

Summary

claimLSDTokens in PriorityPool.sol will not work if there is more than one claim and if the second claim is greater than the first claim because of underflow.

Vulnerability Details

The claimLSDToken() sets accountClaimed[account] to _amount after verifying the merkle tree entry.

function claimLSDTokens(
uint256 _amount,
uint256 _sharesAmount,
bytes32[] calldata _merkleProof
) external {
address account = msg.sender;
bytes32 node = keccak256(
bytes.concat(keccak256(abi.encode(account, _amount, _sharesAmount)))
);
if (!MerkleProofUpgradeable.verify(_merkleProof, merkleRoot, node)) revert InvalidProof();
uint256 amountToClaim = _amount - accountClaimed[account];
uint256 sharesAmountToClaim = _sharesAmount - accountSharesClaimed[account];
uint256 amountToClaimWithYield = stakingPool.getStakeByShares(sharesAmountToClaim);
if (amountToClaimWithYield == 0) revert NothingToClaim();
accountClaimed[account] = _amount;
accountSharesClaimed[account] = _sharesAmount;
IERC20Upgradeable(address(stakingPool)).safeTransfer(account, amountToClaimWithYield);
emit ClaimLSDTokens(account, amountToClaim, amountToClaimWithYield);
}

If there is a new claim, amountToClaim will overflow because accountClaimed[account] is greater than _amount.

If Alice claims 5 tokens for the first time, and is eligible to claim 10 tokens another time, the second time would not work.

Impact

Cannot claim tokens.

Tools Used

Manual Review

Recommendations

Recommend checking whether the accountClaimed[account] is greater than _amount, and adding the difference.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.