Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Risk of Tokens Getting Stuck in PriorityPool During Deposits

00001111

Summary

The issue allows for tokens to become stuck in the contract if the internal _deposit function fails or reverts, potentially leading to loss of user funds and accumulation of unused tokens in the contract.

Vulnerability Details

function deposit(uint256 _amount, bool _shouldQueue, bytes[] calldata _data) external {
if (_amount == 0) revert InvalidAmount();
token.safeTransferFrom(msg.sender, address(this), _amount);
_deposit(msg.sender, _amount, _shouldQueue, _data);
}

The function transfers tokens to the contract before calling the internal _deposit function. If _deposit fails or reverts, the tokens will remain in the contract, potentially causing them to become stuck.

Impact

1 User Funds at Risk: Users who attempt to deposit tokens may lose access to their funds if the _deposit function fails.

2 Contract Balance Accumulation: The contract's balance of tokens could increase over time as more users attempt to deposit, leading to a significant accumulation of unused tokens.

Tool Used

Manual code review

Recommendations

Modify the deposit function to ensure that the internal state is updated (effects) before external interactions occur. This reduces the risk of tokens becoming stuck if _deposit fails.

function deposit(uint256 _amount, bool _shouldQueue, bytes[] calldata _data) external {
if (_amount == 0) revert InvalidAmount();
_deposit(msg.sender, _amount, _shouldQueue, _data);
token.safeTransferFrom(msg.sender, address(this), _amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.