Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Stuck Tokens On Vault Due To End Of Claim Period

auditweiler

Summary

The VaultControllerStrategy strands unclaimed tokens after the claim period is over.

Vulnerability Details

When the claim period is over, the FundFlowController will make a call to updateVaultGroups to permit the next group to unbound their rewards. When calling updateVaultGroups, the curUnbondedVaultGroup and the totalUnbonded (used to control which group can claim, and how much they can claim respectively) is overwritten:

function updateVaultGroups(

uint256[] calldata _curGroupVaultsToUnbond,

uint256 _curGroupTotalDepositRoom,

uint256 _nextGroup,

uint256 _nextGroupTotalUnbonded

) external onlyFundFlowController {

for (uint256 i = 0; i < _curGroupVaultsToUnbond.length; ++i) {

vaults[_curGroupVaultsToUnbond[i]].unbond();

}

vaultGroups[globalVaultState.curUnbondedVaultGroup].totalDepositRoom = uint128(

_curGroupTotalDepositRoom

);

@> globalVaultState.curUnbondedVaultGroup = uint64(_nextGroup);

@> totalUnbonded = _nextGroupTotalUnbonded;

}

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/base/VaultControllerStrategy.sol#L484C9-L484C69

When overwriting these values, the claim to the previous tokens are lost irrevocably - not just for the previous group, but for the protocol as a whole - as we can see here this outstanding totalUnbonded is neither claimed nor explicitly accounted for.

Consequently, the tokens become stuck.

Impact

Unclaimed tokens are lost forever.

Tools Used

Manual Review

Recommendations

During the call to updateVaultGroups, withdraw on behalf of the unbounded group if there is an outstanding balance.
Else, reclaim any outstanding balance to the treasury.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

auditweiler Submitter

12 months ago

inallhonesty Lead Judge

12 months ago

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.