Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: medium
Invalid

Unchecked Return Value of `transferAndCall` Function in `deposit` in `OperatorVault`

Summary

The deposit function calls IERC677(address(token)).transferAndCall(address(stakeController), _amount, "") without checking its return value. This could lead to undetected failures during the token transfer process, which may affect the integrity of the staking logic.

Vulnerability Details

In Solidity, functions such as transferAndCall may return a boolean indicating whether the transfer was successful or not. However, in the current implementation, the return value is not checked. If the transfer fails, this failure will go unnoticed, potentially leading to a situation where tokens are not properly transferred to the staking contract. This could result in inconsistencies in the vault's accounting system (trackedTotalDeposits), creating a scenario where the system believes the deposit was successful, even though it wasn't.

Impact

If the transferAndCall function fails and the error is not detected, it can lead to several issues:

  • Incorrect accounting of total deposits in the vault.

  • Potential loss of funds or staking benefits for users.

  • Unwanted discrepancies between the actual token balance and the vault’s internal records.

  • Security vulnerabilities if the failure is exploited by an attacker to bypass deposit logic.

Tools Used

  • Manual code inspection.

Recommendations

  1. Verify the return value of transferAndCall to ensure the transfer was successful.

  2. Implement error handling logic to revert the transaction if the token transfer fails, ensuring the integrity of the vault’s deposit system.

Example code:

function deposit(uint256 _amount) external override onlyVaultController {
trackedTotalDeposits += SafeCast.toUint128(_amount);
token.safeTransferFrom(msg.sender, address(this), _amount);
- IERC677(address(token)).transferAndCall(address(stakeController), _amount, "");
+ bool success = IERC677(address(token)).transferAndCall(address(stakeController), _amount, "");
+ require(success, "Token transfer failed");
}

This will ensure that if the transfer fails, the transaction reverts and no inconsistent state is left in the system.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.