Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

onlyController can withdraw both the principalDeposits and rewards through the withdraw function

sabit

Summary

onlyController can withdraw both the principalDeposits and rewards through the withdraw function.

Vulnerability Details

There's no check in the withdraw function to ensure that the withdrawal amount is less than or equal to principalDeposits.

function withdraw(uint256 _amount, address _receiver) external onlyController {
principalDeposits -= _amount;
lst.safeTransfer(_receiver, _amount);
emit Withdraw(_amount);
}

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L79C3-L83C6

This means that the controller can, in fact, withdraw the entire balance of the contract, including both principal and accrued rewards.

Impact

The controller could withdraw funds before rewards are distributed, effectively bypassing the reward distribution mechanism.

This takes away the rewards of accounts entitled to it.

Tools Used

Manual review

Recommendations

Limit withdrawals to not exceed principalDeposits.

Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.