Liquid Staking

Summary

During deposit, WithdrawalPool transfers LINK from user and send bach the same amount of stETH. This assumes ideal peg of both tokens, which is not guaranteed. Because of the deposit and withdrawal queue, arbitraging this opportunity means filling the queue with arbitrageurs orders, hindering core of the liquid staking system.

Vulnerability Details

Both token (LINK) and lst (stLINK) ratio is the same when depositing. It's invalid, because their exchange rate may fluctuate, just like ETH-stETH. This can be seen in Curve pools for example: https://curve.fi/#/ethereum/pools/factory-v2-241/swap . The function in question:

Generally, because of the queueing mechanism and limited space we see right now on current staking on mainnet, overfilling the queue is a huge concern for honest users.

How the arbitrageur can use this function:

1. flashloan and swap from curve - buy stLINK with LINK (600 LINK is 600.25 stLINK at the time of writing this report)

2. call priorityPool::withdraw (shouldUnqueue = false)

3. receive same amount of LINK as provided stLINK

4. send, taking the profit

On an additional note, assuming peg of LST to underlying token is well known vulnerability and has been found and reported multiple times, for example:
https://code4rena.com/reports/2024-02-wise-lending#m-01-exiting-a-farm-on-mainnet-assumes-a-peg-of-11--when-swapping-steth-for-eth
https://code4rena.com/reports/2023-03-asymmetry#h-06-wsteth-derivative-assumes-a-11-peg-of-steth-to-eth

Impact

Arbitrage prone queue blocking usage of honest users.

Tools Used

Manual review

Recommendations

Consider calculating ratio of stLINK to LINK.