Platform: Code4rena
Start Date: 11/11/2022
Pot Size: $90,500 USDC
Total HM: 52
Participants: 92
Period: 7 days
Judge: LSDan
Total Solo HM: 20
Id: 182
League: ETH
Rank: 2/92
Findings: 7
Award: $7,681.38
🌟 Selected for report: 3
🚀 Solo Findings: 2
🌟 Selected for report: clems4ever
2925.3837 USDC - $2,925.38
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L85 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L61 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L203
Any user being the first to claim rewards from GiantMevAndFeesPool, can get all the previously generated rewards whatever the amount and even if he did not participate to generate those rewards...
https://gist.github.com/clems4ever/c9fe06ce454ff6c4124f4bd29d3598de
Copy paste it in the test suite and run it.
forge test
Rework the way accumulatedETHPerLPShare and claimed is used. There are multiple bugs due to the interaction between those variables as you will see in my other reports.
#0 - c4-judge
2022-11-20T11:01:40Z
dmvt marked the issue as primary issue
#1 - c4-sponsor
2022-11-28T18:10:02Z
vince0656 marked the issue as sponsor confirmed
#2 - c4-judge
2022-11-29T15:19:47Z
dmvt marked the issue as selected for report
#3 - trust1995
2022-12-06T23:34:42Z
I believe the root cause for this issue is this one https://github.com/code-423n4/2022-11-stakehouse-findings/issues/114
#4 - dmvt
2022-12-07T11:13:05Z
See my response in the post-judging qa discussion.
🌟 Selected for report: clems4ever
2925.3837 USDC - $2,925.38
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L172 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantLP.sol#L8
Any malicious user could make the rewards in GiantMevAndFeesPool inaccessible to all other users...
https://gist.github.com/clems4ever/9b05391cc2192c1b6e8178faa38dfe41
Copy the file in the test suite and run the test.
forge test
Protect the inherited functions of the ERC20 tokens (GiantLP and LPToken) because transfer is not protected and can trigger the before and after hooks. There is the same issue with LPToken and StakingFundsVault.
#0 - dmvt
2022-11-20T11:11:10Z
Comment for the warden: This report is nicely described inline in the gist, but ideally, the sponsor and I would be able to read a description in the report itself. A TL;DR, if you will.
#1 - c4-judge
2022-11-20T11:14:39Z
dmvt marked the issue as primary issue
#2 - c4-sponsor
2022-11-28T18:08:14Z
vince0656 marked the issue as sponsor confirmed
#3 - c4-judge
2022-11-29T15:20:07Z
dmvt marked the issue as selected for report
🌟 Selected for report: clems4ever
Also found by: HE1M
1316.4227 USDC - $1,316.42
https://github.com/code-423n4/2022-11-stakehouse/blob/39a3a84615725b7b2ce296861352117793e4c853/contracts/syndicate/Syndicate.sol#L369 https://github.com/code-423n4/2022-11-stakehouse/blob/39a3a84615725b7b2ce296861352117793e4c853/contracts/syndicate/Syndicate.sol#L668 https://github.com/code-423n4/2022-11-stakehouse/blob/39a3a84615725b7b2ce296861352117793e4c853/contracts/syndicate/Syndicate.sol#L228
A malicious user can steal all claimable ETH belonging to free floating SLOT holders...
https://gist.github.com/clems4ever/f1149743897b2620eab0734f88208603
run it in the test suite with forge
Manual review / forge
+= operator instead of = in https://github.com/code-423n4/2022-11-stakehouse/blob/39a3a84615725b7b2ce296861352117793e4c853/contracts/syndicate/Syndicate.sol#L228 ?
The logic for keeping the rewards up-to-date is also quite complex in my opinion. The main thing that triggered it for me was the lazy call to updateAccruedETHPerShares. Why not keeping the state updated after each operation instead?
#0 - c4-judge
2022-11-20T14:50:05Z
dmvt marked the issue as primary issue
#1 - c4-sponsor
2022-11-28T18:05:31Z
vince0656 marked the issue as sponsor confirmed
#2 - c4-judge
2022-11-29T16:53:04Z
dmvt marked the issue as selected for report
#3 - c4-judge
2022-11-29T16:53:21Z
dmvt marked the issue as satisfactory
🌟 Selected for report: c7e7eff
Also found by: 0x4non, 9svR6w, HE1M, Jeiwan, Trust, aphak5010, arcoun, cccz, clems4ever, corerouter, koxuan, rotcivegaf, unforgiven
40.8568 USDC - $40.86
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/StakingFundsVault.sol#L315 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/StakingFundsVault.sol#L343 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L67
All rewards can be stolen from StakingFundsVault.
https://gist.github.com/clems4ever/b7dd7a6155ac01a9b5e1d8504cd8b5b0
Run with forge test
Manual review and forge
accumulatedETHPerLPShare and claimed.StakingFundsVaultLPToken.#0 - dmvt
2022-11-20T11:54:13Z
I've asked the warden (in Discord) to add a few more comments to the gist:
"I think this is valid a different from the others you reported, but I'm having a slightly hard time with the use of the mocked privileged user (manager) in the middle of the test. More color to help explain how the hack happens without access to this user is important for validity and risk rating. Please only add comments, don't remove anything"
#1 - c4-judge
2022-11-20T14:46:35Z
dmvt marked the issue as primary issue
#2 - c4-judge
2022-11-20T22:25:13Z
dmvt marked the issue as duplicate of #59
#3 - c4-judge
2022-11-29T16:46:39Z
dmvt marked the issue as satisfactory
#4 - C4-Staff
2022-12-21T05:47:22Z
JeeberC4 marked the issue as duplicate of #147
🌟 Selected for report: Jeiwan
Also found by: 0xdeadbeef0x, 9svR6w, JTJabba, Lambda, Trust, arcoun, banky, bin2chen, bitbopper, c7e7eff, clems4ever, datapunk, fs0c, hihen, imare, immeas, perseverancesuccess, ronnyx2017, satoshipotato, unforgiven, wait
11.192 USDC - $11.19
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L48 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L55
All idle ETH from both giant pools can be stolen.
https://gist.github.com/clems4ever/ae451d0eef2539815c910f37b0cb254d
Can be run with forge
Forge test / manual review
#0 - c4-judge
2022-11-20T11:39:16Z
dmvt marked the issue as primary issue
#1 - c4-sponsor
2022-11-28T18:05:48Z
vince0656 marked the issue as sponsor confirmed
#2 - c4-judge
2022-11-29T15:25:01Z
dmvt marked the issue as satisfactory
#3 - C4-Staff
2022-12-21T05:40:17Z
JeeberC4 marked the issue as duplicate of #36
#4 - C4-Staff
2022-12-21T05:40:37Z
JeeberC4 marked the issue as not a duplicate
#5 - C4-Staff
2022-12-21T05:40:50Z
JeeberC4 marked the issue as duplicate of #251
🌟 Selected for report: rotcivegaf
Also found by: 0x4non, clems4ever, datapunk
410.1163 USDC - $410.12
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L56 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L203 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L61
All rewards accumulated for all users in GiantMevAndFeesPool can be withdrawn in a reentrancy attack...
https://gist.github.com/clems4ever/27199bb9755ecd37d78d480e38a594db
Run it with forge in the test suite.
forge test
#0 - c4-judge
2022-11-20T11:32:52Z
dmvt marked the issue as primary issue
#1 - c4-sponsor
2022-11-28T18:07:44Z
vince0656 marked the issue as sponsor confirmed
#2 - c4-judge
2022-11-29T15:23:11Z
dmvt marked the issue as satisfactory
#3 - C4-Staff
2022-12-21T00:17:14Z
JeeberC4 marked the issue as duplicate of #35
#4 - C4-Staff
2022-12-21T00:18:05Z
JeeberC4 marked the issue as not a duplicate
#5 - C4-Staff
2022-12-21T00:18:17Z
JeeberC4 marked the issue as duplicate of #328
🌟 Selected for report: 0xSmartContract
Also found by: 0x4non, 0xNazgul, 0xRoxas, 0xdeadbeef0x, 0xmuxyz, 9svR6w, Awesome, Aymen0909, B2, Bnke0x0, CloudX, Deivitto, Diana, Franfran, IllIllI, Josiah, RaymondFam, ReyAdmirado, Rolezn, Sathish9098, Secureverse, SmartSek, Trust, Udsen, a12jmx, aphak5010, brgltd, bulej93, c3phas, ch0bu, chaduke, chrisdior4, clems4ever, cryptostellar5, datapunk, delfin454000, fs0c, gogo, gz627, hl_, immeas, joestakey, lukris02, martin, nogo, oyc_109, pashov, pavankv, peanuts, pedr02b2, rbserver, rotcivegaf, sahar, sakman, shark, tnevler, trustindistrust, zaskoh, zgo
52.0338 USDC - $52.03
A user can deposit ethereum to GiantMevAndFeesPool but cannot withdraw apparently.
POC: https://gist.github.com/clems4ever/64ae725c7288ba8f48d22cdd5e5e0f0c
Just run the POC in the test suite.
Do those functions need to be publicly available?
They update the state so I'd rather not let them open if I were you. I've not found direct ways to trigger an exploit from calling them directly but I've found indirect ways to call them in order to trigger a bug anyway, I think this function should be at least protected from being called by anyone just for the sake of peace of mind.
#0 - c4-judge
2022-11-29T15:21:03Z
dmvt marked the issue as grade-b