Liquid Staking

Github

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L347-L374

Summary

In the Trust Security audit report, an issue titled "TRST-L-4: Strategy rewards are not updated before updating the fees" was identified in the SequencerVCS.sol contract. A similar issue is present in the StakingPool.sol contract. Specifically, the functions addFee() and updateFee() modify the fee structure without calling updateStrategyRewards() beforehand. This results in rewards being distributed based on outdated fee values, potentially leading to incorrect reward calculations.

Impact

Failure to update the strategy rewards before modifying the fee structure can cause incorrect reward distribution. When the fees are changed without recalculating the rewards, the old reward values will not account for the newly updated fee structure. This could lead to overpayment or underpayment of rewards to stakeholders, depending on the timing of the fee change.

If unaddressed, this issue could:

1. Distort reward calculations, resulting in an inaccurate rewards distribution for stakeholders.

2. Impact trust and fairness in the staking system, as rewards may not reflect the correct deductions for fees.

3. Potentially harm the staking pool's integrity, as incorrect reward calculations can lead to stakeholder dissatisfaction and potential financial losses.

What causes this issue?

The contract lacks a call to updateStrategyRewards() before modifying the fee structure in addFee() and updateFee().

Recommendations

Call updateStrategyRewards() before making any changes to the fee structure in both the addFee() and updateFee() functions. This will ensure that rewards are calculated and distributed based on the old fee values before they are modified.