Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Failure to Update `depositsSinceLastUpdate` When Withdrawals Are Fulfilled with Queued Tokens Leads to Accounting Errors

krisrenzo

Summary

The PriorityPool contract fails to update the depositsSinceLastUpdate variable when withdrawals are fulfilled using the user's own queued tokens. This omission results in inaccuracies in the system’s accounting and impacts the accuracy of reward calculations. While depositsSinceLastUpdate is updated in other scenarios, such as when tokens are removed from the deposit queue or pushed into the staking pool, the protocol neglects to update this variable in one specific case, leading to potential errors in reward distribution.

Vulnerability Details

The depositsSinceLastUpdate variable is essential for tracking the total number of tokens deposited into the staking pool since the last reward distribution. It is used by external systems to calculate rewards accurately.

The PriorityPool::_withdraw and PriorityPool::_depositQueuedTokens functions update depositsSinceLastUpdate when tokens are removed from the deposit queue to fulfill withdrawals or when queued tokens are staked. However, the protocol neglects to update this variable in another case: when a user's withdrawal is fulfilled with their own queued deposit tokens.

Before PriorityPool::_withdraw is called in the PriorityPool::withdraw function, the protocol first tries to fulfill the user's withdrawal request with their own queued deposit tokens, as seen below:

if (amountToUnqueue != 0) {

accountQueuedTokens[account] -= amountToUnqueue;

totalQueued -= amountToUnqueue;

toWithdraw -= amountToUnqueue;

emit UnqueueTokens(account, amountToUnqueue);

}

While the relevant accounting variables like accountQueuedTokens and totalQueued are updated, depositsSinceLastUpdate is not, leading to incorrect tracking of the total tokens deposited since the last update. This omission results in errors in reward calculations.

Impact

The failure to update depositsSinceLastUpdate leads to inaccuracies in reward calculations, as the protocol does not correctly track the number of tokens deposited. This could result in erroneous reward distributions and imbalances in the protocol’s tokenomics.

Tools Used

Manual

Recommendations

Ensure that depositsSinceLastUpdate is updated in all cases where tokens are removed from the deposit queue, including when users’ queued tokens are used to fulfill withdrawals. This will ensure accurate tracking of deposits and prevent errors in reward distribution.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`depositsSinceLastUpdate` and `sharesSinceLastUpdate` can be manipulated by repeated deposit and withdrawal

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.