Liquid Staking

Summary

In the current implementation of the CommunityVCS contract, the claimRewards function allows the contract to collect staking rewards from community vaults. However, there is no functionality to withdraw or transfer these collected tokens, causing the tokens to be locked within the contract without a mechanism for external retrieval.

Vulnerability Details

• Function Affected: claimRewards

• Description: The claimRewards function successfully claims staking rewards from the specified vaults, transferring the rewards to the CommunityVCS contract. However, the contract does not have a function that allows the owner or any authorized party to withdraw or transfer these rewards once collected. This creates a situation where the claimed tokens remain locked within the contract indefinitely.

Impact

• Severity: Medium

• Effect: The rewards claimed by the claimRewards function are locked within the CommunityVCS contract. Users or stakeholders of the contract are unable to access or utilize the claimed tokens, rendering them unusable until this functionality is added. This could lead to a loss of liquidity and a decrease in the contract's utility for stakeholders.

• Potential Loss: The full amount of rewards claimed across all vaults will be inaccessible if this issue remains unresolved.

Tools Used

Recommendations

To resolve this issue, consider implementing the following:

1. Withdraw Functionality: Add a withdraw function that allows the contract owner or an authorized role to transfer the claimed rewards to an external address. This function could look like:

   function withdrawRewards(address _to, uint256 _amount) external onlyOwner {

   require(_to != address(0), "Invalid address");

   require(_amount <= token.balanceOf(address(this)), "Insufficient balance");

   token.transfer(_to, _amount);

   }

2. Authorization Checks: Ensure that only the contract owner or another authorized party can call the withdrawRewards function to prevent unauthorized access to the claimed rewards.