Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Dos due to different length of arrays `_data` and `strategies` in _withdrawLiquidity

Gladiators

Summary

Withdrawing in stakingPool with different _data length to strategies arrays lengths will revert the withdraw.

Vulnerability Details

In stakingPool.sol when priority pools calls withdraw function, if user passes the _data array which is less than the strategies length and then while accessing _data[_data.length] we will get index out of bound error. This will eventually fail the transaction

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/StakingPool.sol#L500

  1. suppose there are 3 strategies and user passes _data[] array of length 2 to deposit

  2. the transaction will fail with the index out of bound error while accessing _data[2] if the first two strategies are max withdrawn already in _withdrawLiquidity function.

Impact

The transaction will get failed with index out of bound error. if strategies length if greater than _data[] and if first strategies are already fully withdrawn

Tools Used

Manual Inspection

Recommendations

add this below check

function _withdrawLiquidity(uint256 _amount, bytes[] calldata _data) private {
require(_data.length == strategies.length, mismatch length);
...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.