Deposits are not changed even when they are supposed to.
Take a look at https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/CommunityVCS.sol#L85-L115
This function is used to deposit tokens from the staking pool into vaults. It includes logic that makes adjustments if the vault deposit limit has changed in the Chainlink staking contract. The issue, however, is that this functionality does not take into account that the max deposit could be decreased and not increased.
From 7.2.2 in the September Codehawks report, we can see how Cyfrin has advised that the vaultMaxDeposits
should be updated once all vault group total deposit rooms are updated. However, this is not being respected.
Accounting for the totalDepositRoom
would be inaccurate. If the max is decreased by Chainlink, then we should have a lower room for deposit, but that's not being followed, which would then mean the system attempts to process deposits even if it should not.
Manual review
Change >
to !=
. And if in any instance this value from Chainlink via getVaultDepositLimits()
is reduced and lower than maxDeposits
.
Citations:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.