Failure to update `accountQueuedTokens` in `PriorityPool::_depositQueuedTokens()` causes reversion in `unqueueTokens()` and `withdraw()`
Summary
PriorityPool::_depositQueuedTokens() updates the totalQueued state variable when queued tokens are deposited into the staking pool. However, it fails to update the accountQueuedTokens mapping, which tracks each user's queued tokens. This mismatch between totalQueued and accountQueuedTokens leads to reversion errors when users attempt to unqueue or withdraw tokens through the unqueueTokens() or withdraw() functions. These errors occur because the protocol assumes users have fewer queued tokens than they actually do, even when totalQueued is sufficient.
Vulnerability Details
The vulnerability arises in the PriorityPool::_depositQueuedTokens() function, which only updates the totalQueued state variable without updating the individual accountQueuedTokens mapping for the account making the deposit. As a result, when users later attempt to unqueue or withdraw their tokens, the protocol checks their accountQueuedTokens balance, which will be lower than expected. Even if the total queued tokens (totalQueued) are sufficient to cover the withdrawal, the functions revert due to the mismatch between the account's balance and the global queued token count.
The issue can be observed in the unqueueTokens() function:
Here, the function compares _amountToUnqueue against the account's getQueuedTokens() balance. Since accountQueuedTokens wasn't updated in depositQueuedTokens(), this balance may be inaccurate, causing the function to revert even when totalQueued is large enough.
Similarly, the withdraw() function performs the following operation:
The incorrect accountQueuedTokens balance leads to the same issue of inaccurate withdrawal attempts, causing further reversion errors.
Additionally, the failure to update accountQueuedTokens introduces ambiguity regarding whose tokens are being deposited, complicating off-chain systems that rely on contract state updates to track queued tokens.
The issue also affects data accuracy for functions like PriorityPool::getAccountData() and PriorityPool::getQueuedTokens(), as the values they return will be based on the incorrect data in the accountQueuedTokens mapping.
Impact
This vulnerability breaks core functionality related to queuing and withdrawing tokens in the protocol. Without accurately tracking the queued tokens for each user, the protocol cannot process unqueue or withdrawal requests correctly, leading to reversion and operational failure. This severely impacts Stake Link’s ability to manage users’ queued tokens and undermines the reliability of off-chain systems relying on accurate contract data for updates.
Tools Used
Manual
Recommendation
Correctly update accountQueuedTokens along with totalQueued.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.