Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: medium
Invalid

Inaccurate Calculation of totalRebonded in VaultDepositController

Summary

The _depositToVaults function in the VaultDepositController contract incorrectly updates the totalRebonded value. This leads to an inaccurate internal state.

Vulnerability Details

In the _depositToVaults function, when a vault is in its claim period, the entire deposits amount is added to totalRebonded, regardless of the actual amount being deposited:

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/base/VaultControllerStrategy.sol#L172

This can lead to an overestimation of totalRebonded if the actual deposit amount is less than the vault's total deposits.

Impact

  1. Accounting Inaccuracy: The totalRebonded value will be inflated, leading to incorrect internal tracking of rebonded tokens.

  2. Future Implications: If totalRebonded is used in future updates without correcting this issue, it could potentially lead to more problems.

Tools Used

Manual Review

Recommendations

Update the rebonding calculation to only account for the actual amount being deposited:

if (vault.claimPeriodActive()) {
uint256 rebondAmount = (toDeposit > canDeposit) ? canDeposit : toDeposit;
totalRebonded += rebondAmount;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
9 months ago
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.