Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Burning Tokens Does Not Decrease Total Staked Amount

0xbrett8571

Summary

The burn function in the StakingPool contract does not update the totalStaked variable when tokens are burned. This leads to an inconsistency between the actual total staked amount and the value stored in totalStaked. The totalStaked variable remains unchanged, even though tokens have been removed from circulation.

Vulnerability Details

The burn function allows users to burn their staked tokens. However, when tokens are burned, the totalStaked variable, which keeps track of the total amount of tokens staked in the pool, is not updated accordingly.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L423-L426

function burn(uint256 _amount) external {

_burn(msg.sender, _amount);

// ❌ totalStaked is not decreased by _amount

emit Burn(msg.sender, _amount);

}

The burn function calls the internal _burn function to burn the specified amount of tokens from the caller's balance. However, it fails to decrease the totalStaked variable by the burned amount. As a result, the totalStaked variable remains unchanged, even though tokens have been removed from circulation.

Consider this Scenario

1. Call the deposit function to stake a certain amount of tokens, let's say 100 tokens. This will increase totalStaked by 100.

Call the burn function with an amount of 50 tokens.

Observe that the totalStaked variable remains unchanged at 100, even though 50 tokens have been burned.

Impact

The totalStaked variable will not accurately reflect the total amount of tokens staked in the pool. This can lead to incorrect calculations and discrepancies in other parts of the contract that rely on totalStaked.
Any functions or mechanisms in the contract that depend on the value of totalStaked, an attacker could potentially exploit this vulnerability to gain unintended advantages or manipulate the system.

Tools Used

Manual Review

Recommendations

Update the burn function to decrease the totalStaked variable by the burned amount. By subtracting the burned _amount from totalStaked, the contract will maintain an accurate representation of the total staked tokens. This ensures that the totalStaked variable reflects the true state of the staking pool and prevents potential exploits or inconsistencies.

function burn(uint256 _amount) external {

_burn(msg.sender, _amount);

+ totalStaked -= _amount;

emit Burn(msg.sender, _amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.