rotateLPTokens() May cause lpToken.totalSupply() to be greater than maxStakingAmountPerValidator

[code423n4]

Lines of code

https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/ETHPoolLPFactory.sol#L83

Vulnerability details

Impact

ETHPoolLPFactory#rotateLPTokens() Wrong use of "24 ether", should use variable maxStakingAmountPerValidator, resulting in StakingFundsVault's lpToken.totalSupply() may be greater than 4 eth

Proof of Concept

use "24 eth " ,must use maxStakingAmountPerValidator

abstract contract ETHPoolLPFactory is StakehouseAPI {

    function rotateLPTokens(LPToken _oldLPToken, LPToken _newLPToken, uint256 _amount) public {
...
        require(_amount + _newLPToken.totalSupply() <= 24 ether, "Not enough mintable tokens"); //***@audit use 24 eth ,must use  maxStakingAmountPerValidator***//   

contract StakingFundsVault is
    Initializable, ITransferHookProcessor, StakehouseAPI, ETHPoolLPFactory, SyndicateRewardsProcessor, ReentrancyGuard
{
...

    function _init(LiquidStakingManager _liquidStakingNetworkManager, LPTokenFactory _lpTokenFactory) internal virtual {
....
        maxStakingAmountPerValidator = 4 ether; //***@auit  maxStakingAmountPerValidator = 4 eth ,not 24 eth**/
    }

Tools Used

Recommended Mitigation Steps

abstract contract ETHPoolLPFactory is StakehouseAPI {

    function rotateLPTokens(LPToken _oldLPToken, LPToken _newLPToken, uint256 _amount) public {
...
-        require(_amount + _newLPToken.totalSupply() <= 24 ether, "Not enough mintable tokens");
+        require(_amount + _newLPToken.totalSupply() <= maxStakingAmountPerValidator, "Not enough mintable tokens");   

[c4-judge]

dmvt marked the issue as duplicate of #118

[c4-judge]

dmvt marked the issue as satisfactory

[c4-judge]

dmvt marked the issue as partial-25

[C4-Staff]

JeeberC4 marked the issue as duplicate of #132