Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unnecessary Use of transferAndCall in Deposit Function

EFCC catches Salem

Summary

The deposit function in the Vault contract uses transferAndCall to send tokens to the Chainlink staking contract, despite not passing any additional data. This could potentially lead to unnecessary gas costs and complexity.

Vulnerability Details

The deposit function is implemented as follows:

function deposit(uint256 _amount) external virtual onlyVaultController {
token.safeTransferFrom(msg.sender, address(this), _amount);
IERC677(address(token)).transferAndCall(address(stakeController), _amount, "");
}

The function uses transferAndCall with an empty string as the data parameter. transferAndCall is typically used when additional data needs to be passed along with the transfer. In this case, no data is being passed, making the use of transferAndCall unnecessary.

Impact

Increased gas costs: transferAndCall may consume more gas than a simple transfer or safeTransfer.

Tools Used

manual review

Recommendations

Replace transferAndCall with safeTransfer:

function deposit(uint256 _amount) external virtual onlyVaultController {
token.safeTransferFrom(msg.sender, address(this), _amount);
token.safeTransfer(address(stakeController), _amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.