Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

`StakingPool::_depositLiquidity` using contract balance when depositing into strategy, resulting misreporting actual `totalStaked`

farismaulana

Summary

The totalStaked value should accurately reflect the total amount of tokens deposited into strategies. Any discrepancy between totalStaked and the actual deposited amount can lead to incorrect state variable.

Vulnerability Details

StakingPool.sol#L111-L132

function deposit(address _account, uint256 _amount, bytes[] calldata _data) external onlyPriorityPool {

require(strategies.length > 0, "Must be > 0 strategies to stake");

uint256 startingBalance = token.balanceOf(address(this));

if (_amount > 0) {

token.safeTransferFrom(msg.sender, address(this), _amount);

@> _depositLiquidity(_data);

_mint(_account, _amount);

totalStaked += _amount;

} else {

_depositLiquidity(_data);

}

uint256 endingBalance = token.balanceOf(address(this));

if (endingBalance > startingBalance && endingBalance > unusedDepositLimit) {

revert InvalidDeposit();

}

when calling deposit function, the _account balance would be sent to StakingPool contract and it would be deposited into strategy using _depositLiquidity. But the _depositLiquidity does not account the _amount instead it use token.balanceOf(address(this)) to deposited into strategy.

StakingPool.sol#L477-L492

function _depositLiquidity(bytes[] calldata _data) private {

@> uint256 toDeposit = token.balanceOf(address(this));

if (toDeposit > 0) {

for (uint256 i = 0; i < strategies.length; i++) {

IStrategy strategy = IStrategy(strategies[i]);

uint256 strategyCanDeposit = strategy.canDeposit();

if (strategyCanDeposit >= toDeposit) {

strategy.deposit(toDeposit, _data[i]);

break;

} else if (strategyCanDeposit > 0) {

strategy.deposit(strategyCanDeposit, _data[i]);

toDeposit -= strategyCanDeposit;

}

Impact

Users and stakeholders may receive inaccurate information about the staked amounts, leading to a lack of trust.

Tools Used

manual review

Recommendations

Consider to add amount deposited when calling _depositLiquidity.
Consider to add a function to handle idle/rogue token inside the StakingPool so it can be deposited into strategy.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.