Platform: Code4rena
Start Date: 11/11/2022
Pot Size: $90,500 USDC
Total HM: 52
Participants: 92
Period: 7 days
Judge: LSDan
Total Solo HM: 20
Id: 182
League: ETH
Rank: 91/92
Findings: 1
Award: $4.41
🌟 Selected for report: 0
🚀 Solo Findings: 0
4.4135 USDC - $4.41
https://github.com/code-423n4/2022-11-stakehouse/blob/39a3a84615725b7b2ce296861352117793e4c853/contracts/liquid-staking/GiantLP.sol#L43 https://github.com/code-423n4/2022-11-stakehouse/blob/39a3a84615725b7b2ce296861352117793e4c853/contracts/liquid-staking/LPToken.sol#L66
Suppose Alice calls any of the functions that use lastInteractedTimestamp value for some special checks. Bob (attacker) monitors the mempool and sees the Alice transaction. Then he calls transfer in GiantLP/LPToken token (depending on the function the Alice calls) before the Alices transaction. He can call transfer with amount parameter equal to zero. As result, Alice's transaction fails and she paid for its gas. Please note, that Bob can force his transaction to be executed before Alices using a higher gas price or even MEV.
rotateLPTokens, withdrawLPTokens, withdrawDETH, burnLPToken, burnLPForETH, claimRewards are vulnerable to the griefing attack.
Do not update lastInteractedTimestamp value that corresponds to an account in case the transaction is not initiated by it.
#0 - c4-judge
2022-11-21T22:55:43Z
dmvt marked the issue as duplicate of #49
#1 - c4-judge
2022-11-29T22:43:05Z
dmvt marked the issue as partial-25
#2 - c4-judge
2022-11-29T22:43:09Z
dmvt changed the severity to 2 (Med Risk)