Liquid Staking

Summary

The PriorityPool contract sets an initial allowance for the StakingPool contract to transfer tokens using type(uint256).max. While this appears to grant an extremely high allowance, every transfer by StakingPool reduces this value, and over time, as transaction volume increases, the allowance steadily decreases. Once the allowance is exhausted, the StakingPool will no longer be able to transfer tokens from the PriorityPool, which could break the protocol’s functionality.

Vulnerability Details

When PriorityPool is initialized, the contract sets an allowance of type(uint256).max for the StakingPool contract to move tokens. This allowance, though initially large, is not dynamic—it decreases with each token transfer made by StakingPool:

Because this value is fixed, it will eventually reach zero as the transaction volume increases, causing the allowance to be exhausted. When this happens, StakingPool will no longer be able to transfer tokens from PriorityPool, resulting in failed transactions and the protocol being unable to process queued withdrawals or transfers.

You can view the relevant code here:

• Allowance setup in PriorityPool

• executeQueuedWithdrawals function

Impact

Once the allowance is exhausted, the StakingPool contract will no longer be able to access tokens from the PriorityPool, leading to broken functionality across the protocol. The inability to execute transfers or withdrawals will severely affect user interactions, including queue withdrawals and other operations relying on token movements between contracts. This essentially freezes the protocol’s operation when allowance depletion occurs.

Likelihood: Low (It will take a long time to exhaust the allowance)
Impact: High (Break the whole system)
Severity: Medium

Tools Used

Manual

Recommendation

Set the appropriate allowance each time a token transfer is needed. This approach is not only future-proof but also safer than granting perpetual access to another actor's or contract's balance.