Medium Findings

Inflation Attack on Zero Total Stake

Severity: Medium

Ecosystem: Aptos

Protocol: Thala LSD

Auditor: OtterSec

Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Feb 2025

Description:

staking::stake_thAPT_v2 is susceptible to an inflation attack, which may allow the first depositor to exploit subsequent depositors by manipulating the exchange rate. This can be achieved by making an initial deposit, which would depeg the 1:1 initial ratio between the sthAPT_supply and the thAPT_staking amount due to the staking fee. After this point, the attacker can continue making progressively larger deposits into the pool, resulting in zero minted sthAPT, further inflating the price.