Liquid Staking

Summary

When removing vaults from a strategy in StakeLink, the OperatorVault::exitVault function fails to unstake the vault’s deposited tokens if the vault is not part of a group. This issue arises because the function relies on conditions that are not met for non-grouped vaults, making it impossible to call unstakeRemovedPrincipal. As a result, non-grouped vaults remain stuck, affecting the protocol’s operation and accounting.

Vulnerability Details

In StakeLink, when vaults are removed from a strategy, their OperatorVault::exitVault function is called to withdraw their staked tokens from the Chainlink staking contract. However, the function fails when it attempts to call stakeController::unstakeRemovedPrincipal(), as shown in the following code:

The key issue lies in the preconditions for calling unstakeRemovedPrincipal. Specifically, the staker must be in the claim period or the pool must be closed or paused. This creates a problem for non-grouped vaults because StakeLink does not provide a way to enter the claim period for these vaults. The only time the unbond() function is called in StakeLink is within VaultControllerStrategy::updateVaultGroups, and it is only executed for vaults that are part of a group. As a result, non-grouped vaults can never satisfy the unstaking preconditions.

Impact

This issue prevents StakeLink from removing non-grouped vaults, making the protocol less manageable. Each stuck vault leads to undesirable changes in the protocol's accounting and affects the overall operation by locking staked tokens that cannot be removed.

Tools Used

Manual

Recommendations

Update the protocol to allow non-grouped vaults to enter the claim period and call unbond() when they are removed. This will ensure that unstakeRemovedPrincipal can be executed successfully for all vaults, whether grouped or not, allowing for proper removal and management of vaults in the system.