Stader Labs - SovaSlava's results

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L48 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L62

Vulnerability details

Impact

Contract Auction.sol import PausableUpgradeable.sol and use modifier "whennotpaused" in createLot() and addBid() functions. But owner could not turn on or turn off pause mode, because contract dont have external functions for it. PausableUpgradeable give only internal functions _pause and _unpause. Developer need create external functions and override these.

Proof of Concept

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L48

Tools Used

Manual review

Recommended Mitigation Steps

Add these functions

    /**
     * @dev Triggers stopped state.
     * Contract must not be paused.
     */
    function pause() external {
        UtilLib.onlyManagerRole(msg.sender, staderConfig);
        _pause();
    }

    /**
     * @dev Returns to normal state.
     * Contract must be paused
     */
    function unpause() external onlyRole(DEFAULT_ADMIN_ROLE) {
        _unpause();
    }

Copied from (correct contract, which have external functions) - https://github.com/code-423n4/2023-06-stader/blob/main/contracts/ETHx.sol

Assessed type

Other

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/OperatorRewardsCollector.sol#L46

Vulnerability details

Impact

Contract OperatorRewardsCollector.sol import PausableUpgradeable.sol and use modifier "whennotpaused" in claim() function. But owner could not turn on or turn off pause mode, because contract dont have external functions for it. PausableUpgradeable give only internal functions _pause and _unpause. Developer need create external functions and override these.

Proof of Concept

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/OperatorRewardsCollector.sol#L46

Tools Used

Manual review

Recommended Mitigation Steps

Add these functions

    /**
     * @dev Triggers stopped state.
     * Contract must not be paused.
     */
    function pause() external {
        UtilLib.onlyManagerRole(msg.sender, staderConfig);
        _pause();
    }

    /**
     * @dev Returns to normal state.
     * Contract must be paused
     */
    function unpause() external onlyRole(DEFAULT_ADMIN_ROLE) {
        _unpause();
    }

Copied from (correct contract, which have external functions) - https://github.com/code-423n4/2023-06-stader/blob/main/contracts/ETHx.sol

Assessed type

Other

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L107 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L160 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L172 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L185 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L201 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L318 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L392 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L449

Vulnerability details

Impact

Contract StaderOracle.sol import PausableUpgradeable.sol and use modifier "whennotpaused" in submitExchangeRateData(),updateERFromPORFeed(),closeERInspectionMode(),disableERInspectionMode(),submitSocializingRewardsMerkleRoot(),submitValidatorStats(),submitWithdrawnValidators(), submitMissedAttestationPenalties() functions. But owner could not turn on or turn off pause mode, because contract dont have external functions for it. PausableUpgradeable give only internal functions _pause and _unpause. Developer need create external functions and override these.

Proof of Concept

See desciption

Tools Used

Manual review

Recommended Mitigation Steps

Add these functions

    /**
     * @dev Triggers stopped state.
     * Contract must not be paused.
     */
    function pause() external {
        UtilLib.onlyManagerRole(msg.sender, staderConfig);
        _pause();
    }

    /**
     * @dev Returns to normal state.
     * Contract must be paused
     */
    function unpause() external onlyRole(DEFAULT_ADMIN_ROLE) {
        _unpause();
    }

Copied from (correct contract, which have external functions) - https://github.com/code-423n4/2023-06-stader/blob/main/contracts/ETHx.sol

Assessed type

Other

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L62

Vulnerability details

Impact

When auction in progress, admin decide turn on pause mode in Auction contract. User see in mempool this tx and frontrun it, send tx with call to addBid() with best msg.value. After that, nobody could not make bid higher, because contract on pause. And, if pause mode will be longer than lot.endBlock, when admin send tx, which turn off pause mode, user will be winner of auction.

Proof of Concept

1. Current block = 1.
2. User1 createLot() with endBlock=5.
3. User2 addBid() with msg.value 1 eth.
4. Admin call pauseOn(). But tx still in mempool.
5. User3 frontrun admin's tx and send tx with call addBid() with msg.value 1.00000...1 eth.
6. Admin's tx mined and contract on pause. // block - 4
7. User4 try call addBid() but tx revert - pause mode on
8. ... Block 6
9. Admin call pauseOff()
10. User3 is winner of auction.

Tools Used

Manual review.

Recommended Mitigation Steps

Delete modifier whenNotPaused() from function addBid()

Assessed type

Other