Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing basis point check in the `CommunityVCS::initialize` and `OperatorVCS::initialize`

tejaswarambhe

Summary

The CommunityVCS::initialize and OperatorVCS::initialize functions miss a crucial basis point check that can lead to inflated maximum deposits.

Vulnerability Details

The maxDepositSizeBP variable is expected to be smaller than equal to 10000, check for the same was added in the __VaultControllerStrategy_init.

.
.
vaultImplementation = _vaultImplementation;
for (uint256 i = 0; i < _fees.length; ++i) {
fees.push(_fees[i]);
}
if (_totalFeesBasisPoints() > 3000) revert FeesTooLarge();
@> if (_maxDepositSizeBP > 10000) revert InvalidBasisPoints(); // Ensuring maxDepositSizeBP <= 10000
maxDepositSizeBP = _maxDepositSizeBP;
vaultMaxDeposits = _vaultMaxDeposits;
vaultDepositController = _vaultDepositController;
.
.

The CommunityVCS::initialize and OperatorVCS::initialize functions lack this check, as it would come into the play when the contract is upgraded.

.
.
} else {
globalVaultState = GlobalVaultState(5, 0, 0, uint64(maxDepositSizeBP + 1));
maxDepositSizeBP = _maxDepositSizeBP;
delete fundFlowController;
@> vaultMaxDeposits = _vaultMaxDeposits; // Missing check
}
.
.

Impact

The CommunityVCS and OperatorVCS contracts would receive inflated maximum deposits than intended.

Tools Used

Manual review

Recommendations

Add a InvalidBasisPoints check to both contracts.

.
.
} else {
globalVaultState = GlobalVaultState(5, 0, 0, uint64(maxDepositSizeBP + 1));
+ @> if (_maxDepositSizeBP > 10000) revert InvalidBasisPoints();
maxDepositSizeBP = _maxDepositSizeBP;
delete fundFlowController;
vaultMaxDeposits = _vaultMaxDeposits;
}
.
.
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.