LTDingZhen - Users will lost their WETH if Lido stake limit is reached because there is no refund mechanism on prefundedDeposit.

[sherlock-admin2]

LTDingZhen

medium

Users will lost their WETH if Lido stake limit is reached because there is no refund mechanism on prefundedDeposit.

Summary

When staked ETH in Lido approaches the limit, users' WETH will be frequently locked in the contract,

Vulnerability Detail

In StEtherAdapter, when users/Tranches try to prefundedDeposit into LidoAdapter, they have to prefund their WETH into the adapter, but if Lido stake limit is reached, the portion of their WETH that exceeds the limit would be locked in the contract:

/// @inheritdoc BaseLSTAdapter
/// @dev Lido has a limit on the amount of ETH that can be staked.
/// @dev Need to check the current staking limit before staking to prevent DoS.
function _stake(uint256 stakeAmount) internal override returns (uint256) {
    uint256 stakeLimit = STETH.getCurrentStakeLimit();
    if (stakeAmount > stakeLimit) {
        // Cap stake amount
        stakeAmount = stakeLimit;
    }

    IWETH9(Constants.WETH).withdraw(stakeAmount);
    uint256 _stETHAmt = STETH.submit{value: stakeAmount}(address(this));

    if (_stETHAmt == 0) revert InvariantViolation();
    return stakeAmount;
    //@Audit M-2 lack refund
}

Impact

When staked ETH in Lido approaches the limit, users' WETH will be frequently locked in the contract, and can be taken by a frontrunner when they can be deposited into Lido.

Code Snippet

https://github.com/sherlock-audit/2024-01-napier/blob/6313f34110b0d12677b389f0ecb3197038211e12/napier-v1/src/adapters/BaseLSTAdapter.sol#L133

Tool used

Manual Review

Recommendation

Add a refund mechanism to make sure no WETH is left in the contract.

[sherlock-admin]

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

It would be user mistake not to check how much is stakeLimit and stake more than the limit

takarez commented:

valid: medium(9)