Liquid Staking

Summary

In the StakingPool::_updateStrategyRewards function, the protocol calculates and distributes Liquid Staking Tokens (LST) to fee receivers based on balance changes in strategies. However, due to a double counting error in the calculation of totalFeeAmounts, the protocol mints and distributes an excess amount of shares to fee receivers. This incorrect share distribution can distort the token supply and unfairly reward participants.

Vulnerability Details

In the _updateStrategyRewards function, the protocol calculates the number of shares to be minted using the formula:

This formula ensures that totalFeeAmounts are subtracted from totalStaked before minting new shares. However, there is a double counting error in how totalFeeAmounts is handled.

The first time totalFeeAmounts is updated is when strategyFeeAmounts are added:

View the relevant code here.

The second time occurs when feeAmounts[feeAmounts.length - 1][i] is added:

View the relevant code here.

This leads to a double counting issue because strategyFeeAmounts and feeAmounts are both portions of the same depositChange. The strategyFeeAmounts[j] are portions of depositChange, and feeAmounts[i] are portions of totalRewards, which is the sum of all strategies’ depositChange. View this here.

The double addition of totalFeeAmounts results in an inflated value, causing excess shares to be minted.

Impact

This error causes the protocol to mint more shares than necessary and distribute them to fee receivers.

Tools Used

Manual

Recommendations

To resolve the issue, ensure that totalFeeAmounts is only counted once when calculating shares to be minted. Adjust the fee calculation logic to avoid adding totalFeeAmounts twice and ensure that only the correct portions of depositChange are considered in the calculation.