Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Depositing To Specific Vault Identifiers Can Be Used To Skip Groups

auditweiler

Summary

An arbitrary external user can influence the frequency of vault upgrades.

Vulnerability Details

Inbound deposits to a VaultControllerStrategy must unconditionally always ensure the first vault they deposit to is equal to the groupDepositIndex:

// deposits must continue with the vault they left off at during the previous call

if (_vaultIds.length != 0 && _vaultIds[0] != globalState.groupDepositIndex)

revert InvalidVaultIds();

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/base/VaultControllerStrategy.sol#L183C9-L185C38

However, each successful deposit groupDepositIndex also configures the next groupDepositIndex.

Consequently, a caller can append an arbitrary vaultId to the end of their array of vaultIds to extert control over the groupDepositIndex.

Impact

Depositing into a VaultControllerStrategy is permissionless.

Through negligible donations, a user can force their vault to receive more deposits on average by forcing depositors to include their chosen vault by prioritising the groupDepositIndex to match their chosen vault.
If _vaultIds[0] does not start at groupDepositIndex, the call is reverted. This means an attacker can therefore cheaply modify the groupDepositIndex as a means to DoS inbound deposits.

Tools Used

Manual Review

Recommendations

Do not enforce which vaults should be deposited into based upon conditions which can be influenced by untrusted parties.
Always ensure a nontrivial minimum deposit is returned via getVaultDepositLimits(), never allow this to be 0.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.