Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Treating Dynamic Arrays as Fixed Arrays in `StakingPool::_updateStrategyRewards` Causes Persistent Reverts

krisrenzo

Summary

In the StakingPool::_updateStrategyRewards function, rewards and fees are distributed based on changes in strategy balances since the last update. However, the function incorrectly treats dynamic arrays as fixed arrays without setting their lengths, leading to persistent reverts during execution. This results in the inability to update strategy rewards, effectively causing a self-induced Denial of Service (DoS) for the protocol.

Vulnerability Details

The function StakingPool::_updateStrategyRewards distributes rewards by calculating balance changes in different strategies. The problem arises in the way dynamic arrays, receivers and feeAmounts, are instantiated and treated later in the function. Initially, these arrays are instantiated as dynamic arrays of fixed-length arrays, but later, they are manipulated as if they were fixed arrays, which leads to reverts.

The issue can be observed in the following incorrect implementation:

function badFunction() public view returns (uint256) {
address[][] memory receivers = new address[][]();
uint256[][] memory feeAmounts = new uint256[][]();
address[3] memory strategyReceivers = [address(0x01), address(0x02), address(0x03)];
uint256[3] memory strategyFeeAmounts = [uint256(100), uint256(100), uint256(100)];
receivers[0] = strategyReceivers;
feeAmounts[0] = strategyFeeAmounts;
}

This results in an error like:

Type address[i] memory is not implicitly convertible to expected type address[] memory.

The correct implementation should define the arrays as fixed-length arrays from the start:

function goodFunction() public view returns (uint256) {
address[3][] memory receivers = new address[3][]();
uint256[3][] memory feeAmounts = new uint256[3][]();
address[3] memory strategyReceivers = [address(0x01), address(0x02), address(0x03)];
uint256[3] memory strategyFeeAmounts = [uint256(100), uint256(100), uint256(100)];
receivers[0] = strategyReceivers;
feeAmounts[0] = strategyFeeAmounts;
}

Failing to handle the arrays correctly results in the function persistently reverting, preventing the protocol from updating strategy rewards.

Impact

This vulnerability effectively causes a self-induced Denial of Service (DoS) in the protocol. If the function cannot execute properly, strategy rewards and fees will no longer be calculated or distributed, severely impacting the functionality of the staking pool.

Tools Used

Manual

Recommendations

Ensure that the arrays are properly initialized with fixed lengths from the start, or modify the function to handle dynamic arrays correctly when setting values.

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.