Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: high
Invalid

Manipulated Delegatecall Destinations in CommunityVCS.sol and OperatorVCS.sol

Summary

A critical vulnerability has been identified in the CommunityVCS.sol and OperatorVCS.sol also effecting VaultControllerStrategy.sol contract, specifically in the deposit and withdraw functions. These functions use delegatecall to execute logic from an external contract (vaultDepositController), which could potentially be exploited to execute arbitrary code.

Vulnerability Details

The destination could be manipulated through CommunityVCS.initialize(address,address,address,address,Fee[],uint256,uint256,uint128,uint128,address) (contracts/linkStaking/CommunityVCS.sol#41-78)
Manipulated call found: (success,None) = vaultDepositController.delegatecall(abi.encodeWithSelector(VaultDepositController.withdraw.selector,_amount,_data)) (contracts/linkStaking/base/VaultControllerStrategy.sol#455-457) in VaultControllerStrategy.withdraw(uint256,bytes) (contracts/linkStaking/base/VaultControllerStrategy.sol#452-460

The destination could be manipulated through OperatorVCS.initialize(address,address,address,address,Fee[],uint256,uint256,uint256,address) (contracts/linkStaking/OperatorVCS.sol#52-88)
Manipulated call found: (success,None) = vaultDepositController.delegatecall(abi.encodeWithSelector(VaultDepositController.withdraw.selector,_amount,_data)) (contracts/linkStaking/base/VaultControllerStrategy.sol#455-457) in VaultControllerStrategy.withdraw(uint256,bytes) (contracts/linkStaking/base/VaultControllerStrategy.sol#452-460)

Results from test on both OperatorVCS.sol and CommunityVCS.sol

yarn test test/linkStaking/operator-vcs.test.ts

OperatorVCS
Warning: Potentially unsafe deployment of contracts/linkStaking/OperatorVCS.sol:OperatorVCS

You are using the `unsafeAllow.delegatecall` flag.

Warning: Potentially unsafe deployment of contracts/linkStaking/CommunityVCS.sol:CommunityVCS

You are using the `unsafeAllow.delegatecall` flag.
✔ should be able to add vault (9184ms)
✔ getPendingFees should work correctly (94ms)
✔ getMaxDeposits should work correctly
✔ updateDeposits should work correctly (100ms)
✔ updateDeposits should work correctly with slashing (69ms)
✔ updateDeposits should work correctly with reward withdrawals (49ms)
✔ withdrawOperatorRewards should work correctly (101ms)
✔ queueVaultRemoval should work correctly (135ms)
✔ removeVault should work correctly (136ms)
✔ setOperatorRewardPercentage should work correctly (41ms)

(node:1061) PromiseRejectionHandledWarning: Promise rejection was handled asynchronously (rejection id: 130)
(Use node --trace-warnings ... to show where the warning was created)
✔ setRewardsReceiver should work correctly (51ms)

11 passing (10s)

yarn test test/linkStaking/community-vcs.test.ts

CommunityVCS
Warning: Potentially unsafe deployment of contracts/linkStaking/CommunityVCS.sol:CommunityVCS

You are using the `unsafeAllow.delegatecall` flag.
✔ addVaults should work correctly (8907ms)
✔ checkUpkeep should work correctly
✔ performUpkeep should work correctly (90ms)
✔ claimRewards should work correctly (74ms)
✔ deposit should work correctly (71ms)

5 passing (9s)

Impact

The impact of this vulnerability is severe. If exploited, an attacker could:

  1. Execute arbitrary code within the context of the VaultControllerStrategy contract

  2. Manipulate the contract's state, potentially leading to unauthorized token transfers

  3. Bypass intended access controls

  4. Potentially drain funds or take complete control of the contract's functionality

This vulnerability puts all funds managed by these contracts at risk.

Tools Used

Manual code review

slitherin . --pess

yarn test

Recommendations

If delegatecall must be used:

  • Implement a robust access control system for setting the vaultDepositController address, including multi-signature requirements and time-lock mechanisms.

  • Add thorough checks before and after the delegatecall to ensure state consistency.

  • Consider implementing a "static call" to validate the behavior of the target function before executing the delegatecall.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.