Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

`FundFlowController` Lacks Mechanism to Update `claimPeriod`, Causing Potential Sync Issues with Chainlink Staking Contract

krisrenzo

Summary

The FundFlowController contract uses the claimPeriod variable to track the duration of the unbonding period for vault groups in the Chainlink staking contract. However, if Chainlink updates its claimPeriod, the FundFlowController will become out of sync, as there is no mechanism to update this value in the contract. This discrepancy can cause operational issues, such as failed withdrawals or deposits, because the claimPeriod will no longer align with the updated Chainlink staking contract.

Vulnerability Details

The claimPeriod variable is set during the initialization of the FundFlowController contract:

function initialize(

address _operatorVCS,

address _communityVCS,

uint64 _unbondingPeriod,

uint64 _claimPeriod,

uint64 _numVaultGroups

) public initializer {

__UUPSUpgradeable_init();

__Ownable_init();

operatorVCS = IVaultControllerStrategy(_operatorVCS);

communityVCS = IVaultControllerStrategy(_communityVCS);

unbondingPeriod = _unbondingPeriod;

claimPeriod = _claimPeriod;

numVaultGroups = _numVaultGroups;

for (uint256 i = 0; i < _numVaultGroups; ++i) {

timeOfLastUpdateByGroup.push(0);

}

If Chainlink updates the claimPeriod in its staking contract, the FundFlowController will continue using the outdated value, which could result in misaligned claim and unbonding period calculations. Without the ability to update the claimPeriod, the contract will cause deposits and withdrawals to fail unpredictably when it attempts to execute operations that rely on the outdated period.

Impact

If the claimPeriod is out of sync with the Chainlink staking contract, the protocol will not be able to correctly execute unbondings or claim operations. This misalignment could lead to failed transactions and result in unpredictable reverts during withdrawals and deposits. Such issues can disrupt the normal operations of the protocol and degrade user confidence.

Tools Used

Manual

Recommendations

Implement a function in the FundFlowController contract that allows the claimPeriod to be updated dynamically in case of changes to the Chainlink staking contract. This will ensure that the protocol remains aligned with the current staking parameters and avoids operational misalignment.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

setters for various parameters of Chainlink

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.