Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

`FundFlowController` Lacks Mechanism to Update `unbondingPeriod`, Causing Potential Sync Issues with Chainlink Staking Contract

krisrenzo

Summary

The FundFlowController contract uses the unbondingPeriod variable to track the unbonding duration for vault groups in the Chainlink staking contract. However, if Chainlink updates its unbonding period, the FundFlowController will be out of sync, as there is no mechanism in place to update this variable. This misalignment between the two contracts can cause operational issues, such as failed withdrawals or deposits, because the unbondingPeriod will be outdated.

Vulnerability Details

The unbondingPeriod variable in the FundFlowController is initialized when the contract is deployed and remains static thereafter:

function initialize(

address _operatorVCS,

address _communityVCS,

uint64 _unbondingPeriod,

uint64 _claimPeriod,

uint64 _numVaultGroups

) public initializer {

__UUPSUpgradeable_init();

__Ownable_init();

operatorVCS = IVaultControllerStrategy(_operatorVCS);

communityVCS = IVaultControllerStrategy(_communityVCS);

unbondingPeriod = _unbondingPeriod;

claimPeriod = _claimPeriod;

numVaultGroups = _numVaultGroups;

for (uint256 i = 0; i < _numVaultGroups; ++i) {

timeOfLastUpdateByGroup.push(0);

}

The problem arises if Chainlink updates its unbonding period in the staking contract. Since the unbondingPeriod in FundFlowController is not updatable, the protocol will continue using the outdated value. This misalignment can cause issues during vault group unbondings, as the unbondingPeriod calculations will not match those of the Chainlink staking contract. As a result, withdrawals and deposits may revert unpredictably.

Impact

If the unbondingPeriod is out of sync with Chainlink's updated value, the protocol's unbonding and claim periods will be calculated incorrectly. This could lead to failed transactions, causing disruptions in the protocol’s operations, such as withdrawals and deposits reverting unexpectedly. Over time, this could erode user confidence and result in financial losses.

Tools Used

Manual

Recommendations

Introduce a function in the FundFlowController contract that allows the unbondingPeriod to be updated dynamically in case of changes to the Chainlink staking contract. This will ensure that the protocol remains in sync with Chainlink’s current staking parameters and prevent operational misalignment.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

setters for various parameters of Chainlink

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.