Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Outdated `totalDeposits` causes `StakingPool::getStrategyDepositRoom` to return incorrect values

krisrenzo

Summary

The StakingPool::getStrategyDepositRoom() function can return incorrect values if totalDeposits is outdated. This happens when the totalDeposits value, which tracks the total tokens staked in a strategy, does not reflect recent rewards or updates. Since getStrategyDepositRoom() relies on canDeposit(), which uses the potentially stale totalDeposits value, the function may inaccurately report the available room for additional deposits. This misreporting could mislead external systems and users, resulting in flawed protocol behavior.

Vulnerability Details

The vulnerability arises from the reliance of StakingPool::getStrategyDepositRoom() on the canDeposit() function, which checks the available room for deposits based on totalDeposits. The totalDeposits value is updated when deposits or withdrawals occur, but when new rewards are earned, the accounting must be adjusted by calling updateDeposits. Until this update happens, totalDeposits remains outdated, leading to incorrect results in functions that depend on it.

The issue can be seen in the following code, where canDeposit() calculates the available deposit room:

function canDeposit() external view returns (uint256) {
uint256 max = getMaxDeposits();
if (max <= totalStaked) {
return 0;
} else {
return max - totalStaked;
}
}

If totalDeposits is not updated before calling getStrategyDepositRoom(), the function will return an incorrect value for the available deposit room, since it will be based on an outdated totalDeposits value. This can lead to misleading results for users and external systems interacting with the protocol.

Impact

Returning incorrect deposit room information can have significant consequences for the Stake Link protocol, especially since it relies heavily on its view functions for integration with external systems that handle computational operations. Misreporting the available deposit room could lead to improper deposits, erroneous assumptions about the protocol’s capacity, or overuse of a strategy. These errors could result in financial discrepancies or incorrect user interactions, potentially damaging trust in the protocol.

Tools Used

Manual

Recommendations

Ensure that totalDeposits is always up to date before performing any calculations that depend on it. This can be achieved by calling updateDeposits() to adjust the accounting before proceeding with the rest of the function. Implement mechanisms that ensure the correct state is reflected whenever getStrategyDepositRoom() is called.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

[INVALID] `strategyDeposit` doesn't update `totalStaked`

Appeal created

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[INVALID] `strategyDeposit` doesn't update `totalStaked`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.