Back to corerouter's contests

LSD Network - Stakehouse contest - corerouter's results

A permissionless 3 pool liquid staking solution for Ethereum.

General Information

Platform: Code4rena

Start Date: 11/11/2022

Pot Size: $90,500 USDC

Total HM: 52

Participants: 92

Period: 7 days

Judge: LSDan

Total Solo HM: 20

Id: 182

League: ETH

Stakehouse Protocol

Findings Distribution

Researcher Performance

Rank: 87/92

Findings: 1

Award: $40.86

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryStakehouse Protocol

Findings Information

🌟 Selected for report: c7e7eff

Also found by: 0x4non, 9svR6w, HE1M, Jeiwan, Trust, aphak5010, arcoun, cccz, clems4ever, corerouter, koxuan, rotcivegaf, unforgiven

Labels

bug
3 (High Risk)
satisfactory
duplicate-147

Awards

40.8568 USDC - $40.86

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L51-L73 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/GiantMevAndFeesPool.sol#L73 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/GiantMevAndFeesPool.sol#L152 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/GiantMevAndFeesPool.sol#L161 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/GiantMevAndFeesPool.sol#L187 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/StakingFundsVault.sol#L88 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/StakingFundsVault.sol#L128 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/StakingFundsVault.sol#L333 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/StakingFundsVault.sol#L337

Vulnerability details

Impact

In _distributeETHRewardsToUserForToken() function, as there is _recipient.call() function, which may enable a malicious _recipient involved to call _distributeETHRewardsToUserForToken() function repeatedly, before the first invocation of the function was finished. Meanwhile, the _distributeETHRewardsToUserForToken() itself and most of the function's caller have no Reentrance attack resistance mechanism in place. As a result, this may cause the different invocations of the function to interact in destructive ways and a malicious user may drain out more ETH he deserves.

Proof of Concept

https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L51-L73

Tools Used

  1. Add nonReentrant modifier to _distributeETHRewardsToUserForToken() function's signature. As a result, _distributeETHRewardsToUserForToken() function's signature changes to as follows:

function _distributeETHRewardsToUserForToken( address _user, address _token, uint256 _balance, address _recipient ) internal nonReentrant

  1. claimed[_user][_token] reflects cumulative claimed value. As a result, https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L63

changes from:

claimed[_user][_token] = due;

to:

claimed[_user][_token] += due;

#0 - c4-judge

2022-11-21T13:58:28Z

dmvt marked the issue as duplicate of #60

#1 - c4-judge

2022-11-30T11:24:21Z

dmvt marked the issue as partial-25

#2 - c4-judge

2022-11-30T11:24:26Z

dmvt marked the issue as satisfactory

#3 - c4-judge

2022-11-30T11:30:05Z

dmvt marked the issue as not a duplicate

#4 - c4-judge

2022-11-30T11:30:13Z

dmvt marked the issue as duplicate of #59

#5 - C4-Staff

2022-12-21T05:47:22Z

JeeberC4 marked the issue as duplicate of #147

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter