Low User Balances in StakingPool Prevent Token Withdrawal
Summary
In the StakingPool contract, users with balances below 100 tokens are unable to withdraw their staked tokens due to how the balanceOf function is implemented. This creates a situation where small balances are effectively locked within the contract.
Vulnerability Details
When the StakingPool::withdraw function is called, it checks the user's Liquid Staking Token (LST) balance using the balanceOf function to determine the equivalent amount of LINK tokens to be transferred back to the user. However, if the user's balance is less than 100 tokens, the balanceOf function returns 0, preventing the withdrawal of any tokens.
The issue stems from the logic within the balanceOf function:
This condition causes users with small balances to have their tokens stuck in the staking contract, as the function returns 0 for balances under 100.
Impact
Users with balances smaller than 100 tokens are unable to withdraw their tokens, effectively locking these assets in the staking contract.
Tools Used
Manual
Recommendations
Modify the balanceOf function to allow withdrawals for all balance sizes, or implement a process to handle small balances more gracefully to ensure users can always retrieve their staked tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.