Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Documentation and Implementation Mismatch in WithdrawalPool#getTotalQueuedWithdrawals()

whitehat777

Summary

According to the documentation, the WithdrawalPool#getTotalQueuedWithdrawals() function is intended to return the total amount of liquid staking tokens (LSTs) queued for withdrawal. However, the current implementation of the function returns the total LINK that can be withdrawn based on the number of shares. This inconsistency between the expected and actual behavior can cause confusion and lead to incorrect actions by users and external protocols that rely on this function.

Vulnerability Details

The inline documentation above and the official protocol docs state that this function should return "liquid staking tokens queued for withdrawal." However, the actual implementation of the function returns the LINK amount that can be withdrawn against the liquid staking tokens amount, which is not the same. The stLINK (the liquid staking tokens) are rebasing, and based on the staking rewards, you can get more or less LINK against 1 stLINK. Thus, for users or external protocols relying on this function to see how much LST they can withdraw—which is a wrong assumption, they will receive a value that could lead to unexpected results when they try to use it. Since getTotalQueuedWithdrawals is designed to return the LINK withdrawable amount, this leads to confusion for users and potentially incorrect implementations and calculations in external protocols relying on this function.

Let's examine the issue:

/**

>>> * @notice Returns the total amount of liquid staking tokens queued for withdrawal

* @return total amount queued for withdrawal

function getTotalQueuedWithdrawals() external view returns (uint256) {

return _getStakeByShares(totalQueuedShareWithdrawals);

}

As we can see, it is expected that this function will return "the total amount of liquid staking tokens queued for withdrawal." However, in reality, it returns the LINK amount, which is evident from the internal _getStakeByShares function name that suggests we will get the Stake (LINK) against Shares (stLINK = liquid staking token, i.e., LST).

Impact

Users and external protocols may misinterpret the function's return value, leading to incorrect actions or calculations.

Tools Used

Manual audit

Recommendations

Update the documentation to reflect that the function returns the amount of LINK withdrawable, rather than stLINK, to prevent confusion. Alternatively, if the function is indeed meant to return stLINK, adjust the logic to ensure it correctly returns the queued stLINK amounts rather than converting it to LINK.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.