Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect totalSupply Due to Unaccounted Donated Tokens in StakingPool

tendency

Summary

The StakingPool::totalSupply function incorrectly returns the total staked amount as the total supply of tokens, without accounting for donated tokens. Since donated tokens do not result in token minting, the actual supply is overstated.

Vulnerability Details

The StakingPool::totalSupply function is intended to return the total supply of liquid staking tokens, but it currently returns the total staked amount instead. This is inaccurate because some staked tokens could be donated, and when tokens are donated, no new tokens are minted, as seen here:

function donateTokens(uint256 _amount) external {
token.safeTransferFrom(msg.sender, address(this), _amount);
totalStaked += _amount;
emit DonateTokens(msg.sender, _amount);
}

Impact

This discrepancy can mislead users and other querying contracts, as the total supply reported by the contract will be higher than the actual number of liquid staking tokens in circulation.

Tools Used

Manual review.

Recommendations

The StakingPool::totalSupply function should return totalShares instead, as this value is only updated when tokens are minted.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/base/StakingRewardsPool.sol#L188-L199

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.