Negative `totalRewards` Can Set `totalStaked` to an Incorrect Value in `StakingPool::_updateStrategyRewards`
Summary
During the execution of StakingPool::_updateStrategyRewards, the totalStaked value is updated with the net change in deposits (totalRewards) from the strategy. However, if totalRewards is negative and its absolute value exceeds the current totalStaked, the calculation will result in an incorrect, extremely large totalStaked value after being cast back to uint256. This issue arises because the result of adding a negative totalRewards to totalStaked is not handled correctly.
Vulnerability Details
Within the StakingPool::_updateStrategyRewards function, the following code attempts to update totalStaked based on the net change in totalRewards:
When totalRewards is negative and larger than totalStaked in absolute terms, the final value of totalStaked becomes an incorrect, extremely large number due to the improper casting back to uint256. This scenario is plausible because totalStaked can be low, and a negative totalRewards can occur through events like slashing in Chainlink contracts—a common occurrence.
Impact
An incorrect totalStaked value will compromise the entire accounting system of the Chainlink protocol. This leads to erroneous calculations for rewards and fee distributions, which can severely affect the financial operations of the protocol.
Tools Used
Manual
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.