Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Operator Tokens Not Transferred During Withdrawals in OperatorStakingPool

tendency

Summary

The OperatorStakingPool::_withdraw function fails to transfer operator tokens back to the user during withdrawals or when an operator is removed. This oversight results in operator funds being locked within the contract.

Vulnerability Details

When an operator withdraws via a call to the OperatorStakingPool::withdraw function, and when the operator is being removed via an admin call to the OperatorStakingPool::removeOperators function, the internal _withdraw function is called to transfer the operator tokens to the user. However, this transfer is not currently performed, resulting in operator funds being stuck in the contract.

function _withdraw(address _operator, uint256 _amount) private {
uint256 sharesAmount = lst.getSharesByStake(_amount);
shareBalances[_operator] -= sharesAmount;
totalShares -= sharesAmount;
//@audit-issue doesn't transfer the tokens to the operator
emit Withdraw(_operator, _amount, sharesAmount);
}

Impact

Operators always lose their deposited tokens.

Tools Used

Manual Review

Recommendations

Update the OperatorStakingPool::_withdraw function to:

function _withdraw(address _operator, uint256 _amount) private {
uint256 sharesAmount = lst.getSharesByStake(_amount);
shareBalances[_operator] -= sharesAmount;
totalShares -= sharesAmount;
+ lst.safeTransfer(_operator, _amount);
emit Withdraw(_operator, _amount, sharesAmount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`OperatorStakingPool::_withdraw()` function doesn't transfer the tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.