Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Assumption of Strategy Count in FundFlowController Leads to Potential Deposit Failures

tychaios

Summary

A vulnerability has been identified in the StakingPool contract where the FundFlowController assumes a fixed number of strategies (two) when constructing deposit data. This assumption can lead to deposit failures when more than two strategies are added to the StakingPool and a deposit amount exceeds the capacity of the first two strategies.

Vulnerability Details

In StakingPool.sol:287, the addStrategy function allows the owner to add new strategies to the StakingPool. However, the FundFlowController's (getDepositData(uint256))[https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/FundFlowController.sol#L75] function always returns an array of two slots, regardless of the actual number of strategies in the pool.

This mismatch creates a problem when:

More than two strategies are added to the StakingPool.
A user attempts to make a deposit that doesn't fit entirely in the first two strategies.
The StakingPool determines that some or all of the remaining amount can be deposited in the third (or subsequent) strategy.

In this scenario, the StakingPool will attempt to access strategy data from the _data array passed to the deposit function, but this array only contains data for the first two strategies. This results in an out-of-bounds exception and the deposit transaction will revert.

// StakingPool.sol

function _depositLiquidity(bytes[] calldata _data) private {

uint256 toDeposit = token.balanceOf(address(this));

if (toDeposit > 0) {

for (uint256 i = 0; i < strategies.length; i++) {

IStrategy strategy = IStrategy(strategies[i]);

uint256 strategyCanDeposit = strategy.canDeposit();

// @audit-info Assumes a _data array large enough has been passed

if (strategyCanDeposit >= toDeposit) {

strategy.deposit(toDeposit, _data[i]);

break;

} else if (strategyCanDeposit > 0) {

strategy.deposit(strategyCanDeposit, _data[i]);

toDeposit -= strategyCanDeposit;

}

Impact

The impact of this vulnerability is significant:

Deposit failures: Users may be unable to complete deposits if the amount exceeds the capacity of the first two strategies, even if there is available capacity in other strategies.
Reduced functionality: The functionality of FundFlowController as a mean to easily deposit to strategies become useless.
Poor user experience: Users may face unexpected transaction failures.

Tools Used

Manual Review

Recommendations

To address this vulnerability, consider the following recommendations:

Modify the FundFlowController's getDepositData function to dynamically generate data for all available strategies, not just the first two.
Implement proper bounds checking when accessing strategy data in the deposit function to gracefully handle cases where data for a strategy might be missing.
Consider implementing a more flexible design that doesn't rely on a fixed array size for strategy data, allowing for easier scalability as new strategies are added.

Updates

Lead Judging Commences

inallhonesty Lead Judge

11 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.