getDepositsSinceLastUpdate return bigger values than expected
Summary
The getDepositsSinceLastUpdate function is intended to return the amount of tokens and shares that have been deposited into Chainlink from the queue. The _depositQueuedTokens function correctly updates the depositsSinceLastUpdate and sharesSinceLastUpdate values. But, there is another part of the code where these values are being modified, even though they should not be.
Vulnerability Details
It seems that this function incorrectly increases the tracked amount of token deposits and shares since the last update, even though it shouldn't affect these values. Withdrawing has nothing to do with depositing into Chainlink.
Impact
It's easy for anyone to bump these values a lot by depositing, and withdrawing tokens from the queue many times.
getDepositsSinceLastUpdate would return much bigger values, than it should. It would be saying that the protocol deposited a lot of funds into chainlink stacking, while it might happen that it did not deposit any founds
Tools Used
Manual Review
Recommendations
Remove two mentioned lines (672-673)
Lead Judging Commences
`depositsSinceLastUpdate` and `sharesSinceLastUpdate` can be manipulated by repeated deposit and withdrawal
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.