Summary

The protocol relies on array indexes as identifiers for key operations, such as removing or reordering strategies in StakingPool. This approach introduces a vulnerability where blockchain reorganizations (reorgs) can lead to the protocol mistakenly targeting the wrong items, causing critical mismanagement of contracts. This vulnerability could result in the permanent loss of important records, such as staking progress and rewards, particularly for protocols relying on external systems like Chainlink.

Vulnerability Details

The protocol uses array indexes as identifiers for items like strategies in the StakingPool. Key functions, such as StakingPool::removeStrategy, StakingPool::addStrategy, and StakingPool::reorderStrategies, rely on these indexes to correctly manage strategies. This approach introduces a risk during blockchain reorgs, where the state of transactions might be reverted or reordered, leading to inconsistent and incorrect strategy management.

Pretext

• StakingPool::addStrategy: Adds a new strategy to the strategies array based on the owner's input.

• StakingPool::removeStrategy: Removes a strategy by specifying its index in the strategies array.

• StakingPool::reorderStrategies: Reorders strategies based on the provided indexes to adjust their positions in the array.

If a blockchain reorg occurs, the protocol could mistakenly point to the wrong strategy, causing unintended actions.

Proof of Concept

Original Scenario

• Initial strategies array: [0x01, 0x02, 0x03, 0x04]

Owner's Intent:

1. Remove strategy 0x04 (index 3).

2. Add two new strategies (0x05 and 0x06).

3. Reorder strategies in descending order.

Expected Final State:
[0x06, 0x05, 0x03, 0x02, 0x01]

Reorg Interrupted Scenario

1. The owner adds 0x05 and reorders strategies before removing 0x04.

2. The protocol mistakenly removes strategy 0x02 instead of 0x04 due to a blockchain reorg.

3. The final state differs significantly from the expected state due to mismanagement of array indexes.

Reorg Interrupted Final State:
[0x05, 0x04, 0x03, 0x01, 0x06]

This behavior demonstrates how blockchain reorgs can disrupt the intended state of the strategies array, leading to incorrect management of strategies and associated rewards or staking records.

Impact

This vulnerability can cause the protocol to mistakenly remove or reorder strategies, resulting in the loss of critical data such as Chainlink staking progress, staking multipliers, and earned rewards. Once a strategy is removed, its records and associated funds may be permanently lost. Even if the strategy is re-added, it would restart from scratch, losing all historical progress and rewards.

Tools Used

Manual

Recommendations

To mitigate this risk, the protocol should avoid relying solely on array indexes as identifiers. Instead, use more robust identification mechanisms, such as strategy addresses or unique identifiers that persist through reorgs.