Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Overestimated Vault Group Capacity Due to globalVaultState.depositIndex Misuse in CommunityVCS::deposit Function

tendency

Summary

During deposits in the CommunityVCS::deposit function, when there has been an update in the vault deposit limits, the function incorrectly assumes globalVaultState.depositIndex equals the total number of vaults in groups, leading to inaccurate vault count and deposit capacity estimations.

Vulnerability Details

When the CommunityVCS::deposit function is called by the staking pool, and the vault deposit limit has changed in the Chainlink staking contract, the total deposit rooms for all vault groups are adjusted. To better understand the issue, consider the following values:

new maxDeposits = 500
current vaultMaxDeposits = 400
difference = 500 - 400 ==> 100
totalVaults = globalVaultState.depositIndex ==> 8
numVaultGroups = 5
VaultsPerGroup = totalVaults / numVaultGroups ==> 1 (since Solidity rounds down)
remainder = totalVaults % numVaultGroups ==> 3

From the loop through numVaultGroups, the following values are obtained:

Group 0: numVaults = 1 + 1 = 2
Group 1: numVaults = 1 + 1 = 2
Group 2: numVaults = 1 + 1 = 2
Group 3: numVaults = 1
Group 4: numVaults = 1

For vault group 1, with 2 vaults, the total deposit room is 400 + 400 ==> 800, and the updated room becomes 800 + 2 * 100 ==> 1000.

The problem lies in using globalVaultState.depositIndex, which represents the next non-group vault, as seen in the VaultDepositController::_depositToVaults function, only vaults < globalVaultState.depositIndex are considered part of a group:

// vault must be a member of a group

if (vaultIndex >= globalState.depositIndex) revert InvalidVaultIds();

The depositIndex could sometimes also point to a vault that has not yet been deployed, this occurs when all non-group vaults are filled. The index will be incremented here and updated here.

Thus, when depositIndex = 5, the total number of vaults in groups should be 5 - 1 = 4.

Note that, for clarity, this report assumes that no deposits have been made into the groups yet. Typically, the deposit rooms for these groups would decrease as deposits are made.

Impact

Some vault groups may appear to have more deposit room than they actually do. For instance, in group 2, the room appears as 400 + 2 * 100 ==> 600, while in reality, with only one vault, the correct new room should be 400 + 1 * 100 ==> 500.

Tools Used

Manual Review

Recommendations

Update the faulty logic in CommunityVCS::deposit to:

- uint256 totalVaults = globalVaultState.depositIndex;

+ uint256 totalVaults = globalVaultState.depositIndex - 1;

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Overestimated Vault Group Capacity Due to globalVaultState.depositIndex Misuse in CommunityVCS::deposit Function

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.