Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of deposit limit checks in `StakingPool::strategyDeposit`.

v1vah0us3

Summary

The strategyDeposit function in StakingPool.sol allows the contract owner to deposit tokens into a specific strategy directly. However, this function does not enforce any checks to limit the maximum amount of tokens that can be deposited into a particular strategy. This lack of checks could lead to an over-deposit situation, where more tokens than intended or allowed are deposited, potentially impacting the overall liquidity management of the pool.

Vulnerability Details

The strategyDeposit function (see https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/StakingPool.sol#L173) has the following code:

function strategyDeposit(

uint256 _index,

uint256 _amount,

bytes calldata _data

) external onlyOwner {

require(_index < strategies.length, "Strategy does not exist");

@> IStrategy(strategies[_index]).deposit(_amount, _data);

}

The function does not check whether the amount being deposited by the Owner exceeds the maximum allowed by the strategy or if there is sufficient room left for the strategy and the whole pool to accept the deposit.

This contrasts with the StakingPool::_depositLiquidity function, which includes such checks on a strategy utilizing canDeposit before making any deposits (see https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/StakingPool.sol#L477).

Without similar checks in StakingPool::strategyDeposit, there is a risk of over-depositing into a particular strategy and possibly exceeding the maximum amount of tokens that the pool can hold, which could lead to unintended behavior or disruptions in liquidity management.

Impact

The absence of deposit limit checks can result in excessive deposits into a strategy, exceeding its intended capacity. This may lead to funds being concentrated within a single strategy, disrupting optimal liquidity distribution and impairing the overall performance and risk management of the pool.

Tools Used

Manual Code Review, VSCode

Recommendations

Ensure that any direct deposit into strategies via StakingPool::strategyDeposit uses similar checks to those present in StakingPool::_depositLiquidity, enforcing uniform behavior across the contract.
Add checks in the StakingPool::strategyDeposit function to ensure the deposit amount does not exceed the maximum allowed by the strategy and by the whole pool. It can be done by querying the strategy’s canDeposit method to verify the allowed capacity.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.