Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

StakingPool contract owner can withdraw more than the available withdraw room from the strategies.

tejaswarambhe

Summary

StakingPool contract owner can unknowingly withdraw more than the available withdraw room of the strategy via StakingPool::strategyWithdraw

Vulnerability Details

The function strategyWithdraw in the StakingPool contract allows the owner to manually withdraw asset tokens from the specified strategy.

function strategyWithdraw(
uint256 _index,
uint256 _amount,
bytes calldata _data
) external onlyOwner {
require(_index < strategies.length, "Strategy does not exist");
@> IStrategy(strategies[_index]).withdraw(_amount, _data);
}

But the strategies are intended to have a minimum deposits in them, which can be calculated via Strategy::canWithdraw()
As there is no IStrategy(strategies[_index]).canWithdraw() check, it allows the StakingPool contract owner to unknowingly withdraw more than the minimum amount of tokens required in the contract.

Impact

Strategy contracts like CommunityVCS, OperatorVCS and others (including future strategy contracts) will hold a risk of getting withdrawn more tokens than intended.

Tools Used

Manual review

Recommendations

It is recommended to add a IStrategy(strategies[_index]).canWithdraw() check before withdrawing.

function strategyWithdraw(
uint256 _index,
uint256 _amount,
bytes calldata _data
) external onlyOwner {
require(_index < strategies.length, "Strategy does not exist");
+ @> uint strategyWithdrawRoom = IStrategy(strategies[i]).canWithdraw();
+ @> require(strategyWithdrawRoom >= _amount, "Insufficient Withdrawal Room");
IStrategy(strategies[_index]).withdraw(_amount, _data);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.