Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Inconsistent `totalStaked` Accounting in `burn` Function

foxb868

Summary

The burn function in the StakingPool contract fails to update the totalStaked variable when tokens are burned, leading to an inconsistency between totalStaked and the actual total staked amount. Can result in incorrect calculations, difficulty in reconciling balances, and potential exploits.

Vulnerability Details

When users stake tokens using the deposit function, the totalStaked variable is correctly incremented by the deposited amount: https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L120-L124

function deposit(

address _account,

uint256 _amount,

bytes[] calldata _data

) external onlyPriorityPool {

// ...

if (_amount > 0) {

// ...

totalStaked += _amount;

}

// ...

}

However, when users burn their staked tokens using the burn function, the totalStaked variable is not decremented: https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L423-L426

function burn(uint256 _amount) external {

_burn(msg.sender, _amount);

emit Burn(msg.sender, _amount);

}

The issue arises because the burn function calls the internal _burn function to burn the tokens from the user's balance, but it does not decrease the totalStaked amount accordingly. As a result, the totalStaked variable becomes out of sync with the real total staked amount. https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L423-L426

function burn(uint256 _amount) external {

_burn(msg.sender, _amount);

// @audit totalStaked is not decreased by _amount

emit Burn(msg.sender, _amount);

}

This inconsistency can lead to incorrect calculations and unexpected behavior in other parts of the contract that rely on the accuracy of totalStaked.

Burden of Proof

Consider the following scenario

Initially, totalStaked is 0.
A user calls the deposit function to stake 100 tokens. The totalStaked variable is correctly incremented to 100.
The same user then calls the burn function to burn 50 tokens.
After the burn function is executed, the totalStaked variable remains at 100, even though the actual total staked amount has decreased to 50.

The discrepancy between the totalStaked value and the actual total staked amount proves that the burn function does not properly update totalStaked.

Impact

Users and contract administrators may face challenges when trying to reconcile the actual staked balances with the totalStaked value, as they will not match.

Tools Used

Recommendations

By decrementing totalStaked by the _amount being burned, the contract ensures that totalStaked remains in sync with the actual total staked amount.

function burn(uint256 _amount) external {

_burn(msg.sender, _amount);

+ // Add the following line to fix the issue

+ // totalStaked -= _amount;

emit Burn(msg.sender, _amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.