Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 81/246
Findings: 1
Award: $58.94
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rbserver
Also found by: 0xAgro, DadeKuma, DeStinE21, HollaDieWaldfee, IgorZuk, J4de, P7N8ZK, Parad0x, Stiglitz, bytes032, carrotsmuggler, csanuragjain, dec3ntraliz3d, kaden, koxuan, lukris02, rvierdiiev, tnevler
58.9366 USDC - $58.94
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L73 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L91 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L115 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L118 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L141 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L142 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L152
New derivates can be added but not removed in the contract SafeEth. It can lead to the DoS, when the code of the derivate is reverting after the upgrade.
(Link to the affected code points to the function calls that can cause the risk. However, it is not the code that is necessary to change)
A new derivate XXX is added by the function addDerivate. Derivate must implement the interface IDerivate. The derivate XXX can be an upgradeable contract as contracts in the repository are (Reth, SfrxEth and WstEth). Functions of all added contracts are called inside the functions stake and unstake. These functions are defined by the mentioned interface IDerivate. For example, in stake function at line #73 the:
derivatives[i].ethPerDerivative(derivatives[i].balance()
In the unstake function at line #118:
derivatives[i].withdraw(derivativeAmount);
When the code of the derivate XXX is upgraded and one of these functions is upgraded incorrectly by accident or maliciously (stolen ownership of XXX contract) and reverts, it will DoS the whole contract. Depending on the reverting function, it will be possible to stake/unstake. The only way to mitigate DoS impact after this happens is to upgrade the SafeEth contract.
Setting the weight of the "broken" derivate to zero is not enough. Adding the functionality to delete the derivate seems reasonable. However, it will be necessary to consider the logic of how to delete the derivate and not harm the users. For example, manually rebalance the weights.
#0 - c4-pre-sort
2023-04-04T17:29:28Z
0xSorryNotSorry marked the issue as duplicate of #703
#1 - c4-judge
2023-04-21T15:05:45Z
Picodes marked the issue as satisfactory