Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: low
Invalid

`StakingPool::_depositLiquidity` using contract balance when depositing into strategy, resulting misreporting actual `totalStaked`

Summary

The totalStaked value should accurately reflect the total amount of tokens deposited into strategies. Any discrepancy between totalStaked and the actual deposited amount can lead to incorrect state variable.

Vulnerability Details

StakingPool.sol#L111-L132

function deposit(address _account, uint256 _amount, bytes[] calldata _data) external onlyPriorityPool {
require(strategies.length > 0, "Must be > 0 strategies to stake");
uint256 startingBalance = token.balanceOf(address(this));
if (_amount > 0) {
token.safeTransferFrom(msg.sender, address(this), _amount);
@> _depositLiquidity(_data);
_mint(_account, _amount);
totalStaked += _amount;
} else {
_depositLiquidity(_data);
}
uint256 endingBalance = token.balanceOf(address(this));
if (endingBalance > startingBalance && endingBalance > unusedDepositLimit) {
revert InvalidDeposit();
}
}

when calling deposit function, the _account balance would be sent to StakingPool contract and it would be deposited into strategy using _depositLiquidity. But the _depositLiquidity does not account the _amount instead it use token.balanceOf(address(this)) to deposited into strategy.

StakingPool.sol#L477-L492

function _depositLiquidity(bytes[] calldata _data) private {
@> uint256 toDeposit = token.balanceOf(address(this));
if (toDeposit > 0) {
for (uint256 i = 0; i < strategies.length; i++) {
IStrategy strategy = IStrategy(strategies[i]);
uint256 strategyCanDeposit = strategy.canDeposit();
if (strategyCanDeposit >= toDeposit) {
strategy.deposit(toDeposit, _data[i]);
break;
} else if (strategyCanDeposit > 0) {
strategy.deposit(strategyCanDeposit, _data[i]);
toDeposit -= strategyCanDeposit;
}
}
}
}

Impact

Users and stakeholders may receive inaccurate information about the staked amounts, leading to a lack of trust.

Tools Used

manual review

Recommendations

Consider to add amount deposited when calling _depositLiquidity.
Consider to add a function to handle idle/rogue token inside the StakingPool so it can be deposited into strategy.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.