Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The `FundFlowController` Fails To Initialize The Group Last Update Time

auditweiler

Summary

Initialization of the FundFlowController doesn't initialize timeOfLastUpdateByGroup to the block.timestamp.

Vulnerability Details

When inititializing the FundFlowController, the timeOfLastUpdateByGroup for all groups is initialized to 0:

function initialize(

address _operatorVCS,

address _communityVCS,

uint64 _unbondingPeriod,

uint64 _claimPeriod,

uint64 _numVaultGroups

) public initializer {

__UUPSUpgradeable_init();

__Ownable_init();

operatorVCS = IVaultControllerStrategy(_operatorVCS);

communityVCS = IVaultControllerStrategy(_communityVCS);

unbondingPeriod = _unbondingPeriod;

claimPeriod = _claimPeriod;

numVaultGroups = _numVaultGroups;

@> for (uint256 i = 0; i < _numVaultGroups; ++i) {

@> timeOfLastUpdateByGroup.push(0);

@> }

}

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/FundFlowController.sol#L64C9-L66C10

This means all group start within the claimable window, since the claim period initializes as active:

function claimPeriodActive() external view returns (bool) {

@> uint256 claimPeriodStart = timeOfLastUpdateByGroup[curUnbondedVaultGroup] + unbondingPeriod;

@> uint256 claimPeriodEnd = claimPeriodStart + claimPeriod;

@> return block.timestamp >= claimPeriodStart && block.timestamp <= claimPeriodEnd;

}

Additionally, we must remember that the claim period is periodic - therefore in order to introduce a claim period at an offset date from the starting timestamp, the deployer would need to configure a delay period that's at least the length of the lifespan of the blockchain.

Impact

The first vesting period can be immaturely claimed for all groups since the unbondingPeriod's first comparison starts from the beginning of time.

Tools Used

Manual Review

Recommendations

Initialize the timeOfLastUpdateByGroup to the block.timestamp.

Updates

Lead Judging Commences

inallhonesty Lead Judge

9 months ago

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.