Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing slippage control in priorityPool:deposit()

0xaraj

Summary

Missing slippage control in priorityPool:deposit()

Vulnerability Details

Users can be frontrun and receive a worse exchange rate from assetToken to shares than expected when they initially deposit the assetToken using priorityPool:deposit().

There's no protection at all, no minimum return amount or deadline for the trade transaction to be valid which means the trade can be delayed by miners or users congesting the network, as well as being sandwich attacked - ultimately leading to loss of user funds.

function _deposit(address _account, uint256 _amount, bool _shouldQueue, bytes[] memory _data) internal {
...
if (toDeposit != 0) {
uint256 canDeposit = stakingPool.canDeposit();
if (canDeposit != 0) {
uint256 toDepositIntoPool = toDeposit <= canDeposit ? toDeposit : canDeposit;
@> stakingPool.deposit(_account, toDepositIntoPool, _data);
toDeposit -= toDepositIntoPool;
}
}
}
...
}

Impact

Deposits can be sandwich attacked causing massive loss to the user

Tools Used

Manual Review

Recommendations

Allow user to specify min amount of shares received from priorityPool:deposit()

Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.