Stader Labs - Hama's results

Decentralized ETH liquid staking protocol with 4 ETH bond for anyone to be a node operator.

General Information

Platform: Code4rena

Start Date: 02/06/2023

Pot Size: $100,000 USDC

Total HM: 15

Participants: 75

Period: 7 days

Judge: Picodes

Total Solo HM: 5

Id: 249

League: ETH

Stader Labs

Findings Distribution

Researcher Performance

Rank: 51/75

Findings: 1

Award: $31.80

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Stader Labs

Findings Information

🌟 Selected for report: Madalad

Also found by: Aymen0909, Bauchibred, Breeje, DadeKuma, Hama, LaScaloneta, Madalad, MohammedRizwan, bin2chen, dwward3n, erictee, etherhood, kutugu, peanuts, piyushshukla, rvierdiiev, saneryee, tallo, turvy_fuzz, whimints

Awards

31.7954 USDC - $31.80

Labels

bug

2 (Med Risk)

satisfactory

duplicate-15

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L649

Vulnerability details

Impact

The impact of this finding is that it can lead to the usage of stale prices across various functions in the affected contracts. When retrieving data from Chainlink's latestRoundData() API, there are no checks for stale data, which can result in the utilization of outdated price information. This vulnerability has the potential to cause financial losses to end-users who rely on accurate and up-to-date price data.

Proof of Concept

function getPORFeedData() internal view returns ( uint256, uint256, uint256) {
(, int256 totalETHBalanceInInt, , , ) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy()).latestRoundData();
(, int256 totalETHXSupplyInInt, , , ) = AggregatorV3Interface(staderConfig.getETHXSupplyPORFeedProxy()).latestRoundData();
return (uint256(totalETHBalanceInInt), uint256(totalETHXSupplyInInt), block.number);
}

Tools Used

manual review

Recommended Mitigation Steps

Consider adding the missing checks for stale data. For example:

(uint80 roundID, int256 answer,, uint256 timestamp, uint80 answeredInRound) = AggregatorV3Interface(chainLinkAggregatorMap[underlying]).latestRoundData();
require(answer > 0, "Chainlink price <= 0");
require(answeredInRound >= roundID, "Stale price");
require(timestamp != 0, "Round not complete");

Assessed type

Oracle

#0 - c4-judge
2023-06-09T23:25:33Z

Picodes marked the issue as duplicate of #15

#1 - c4-judge
2023-07-02T10:49:53Z

Picodes marked the issue as satisfactory

Stader Labs - Hama's results

Decentralized ETH liquid staking protocol with 4 ETH bond for anyone to be a node operator.

General Information

Findings Distribution

Researcher Performance

External Links

[M-14] Chainlink’s latestRoundData Might Return Stale Results - $31.80

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-judge2023-06-09T23:25:33Z

#1 - c4-judge2023-07-02T10:49:53Z

#0 - c4-judge
2023-06-09T23:25:33Z

#1 - c4-judge
2023-07-02T10:49:53Z