Contract `FundFlowController` may malfunction if Chainlink staking pool updates configs
Summary
Contract FundFlowController may malfunction because of stale configs
Vulnerability Details
The FundFlowController's configs unbondingPeriod, claimPeriod is initialized once at deployment and there is no logic to update these configs afterward. This can cause the contract to malfunction in case the Chainlink Staking protocol updates its bonding period and claim period configs. This is because the contract's logic depends heavily on these two configs from Chainlink staking protocol, especially the function updateVaultGroups() which is related to the deposit and withdraw flows in strategies.
According to Chainlink staking protocol's implementation, it is possible to update bonding period and claim period
Impact
With the stale configs, strategies may not stake and unbond properly which can block deposits and withdrawals
Tools Used
Manual
Recommendations
Add logic to check and update these configs according to Chainlink staking configs
Appeal created
setters for various parameters of Chainlink
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.