Stader Labs - erictee's results

Decentralized ETH liquid staking protocol with 4 ETH bond for anyone to be a node operator.

General Information

Platform: Code4rena

Start Date: 02/06/2023

Pot Size: $100,000 USDC

Total HM: 15

Participants: 75

Period: 7 days

Judge: Picodes

Total Solo HM: 5

Id: 249

League: ETH

Stader Labs

Findings Distribution

Researcher Performance

Rank: 46/75

Findings: 1

Award: $31.80

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Stader Labs

Findings Information

🌟 Selected for report: Madalad

Also found by: Aymen0909, Bauchibred, Breeje, DadeKuma, Hama, LaScaloneta, Madalad, MohammedRizwan, bin2chen, dwward3n, erictee, etherhood, kutugu, peanuts, piyushshukla, rvierdiiev, saneryee, tallo, turvy_fuzz, whimints

Awards

31.7954 USDC - $31.80

Labels

bug

2 (Med Risk)

satisfactory

duplicate-15

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646-L650

Vulnerability details

Proof of Concept

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646-L650

On StaderOracle.sol, we are using latestRoundData, but there is no check if the return value indicates stale data.

(, int256 totalETHBalanceInInt, , , ) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy()) 
            .latestRoundData();
        (, int256 totalETHXSupplyInInt, , , ) = AggregatorV3Interface(staderConfig.getETHXSupplyPORFeedProxy())
            .latestRoundData();

This could lead to stale prices according to the Chainlink documentation:

https://docs.chain.link/docs/historical-price-data/#historical-rounds
https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round

Recommended Mitigation Steps

Consider adding missing checks for stale data.

For example:

(uint80 ETHRoundID, int256 totalETHBalanceInInt, , uint256 ETHTimestamp, uint80 ETHAnsweredInRound) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy()).latestRoundData();    
(uint80 ETHXRoundID, int256 totalETHXSupplyInInt, , uint256 ETHXTimestamp, uint80 ETHXAnsweredInRound) = AggregatorV3Interface(staderConfig.getETHXSupplyPORFeedProxy()).latestRoundData(); 
   
require(ETHAnsweredInRound >= ETHRoundID && ETHXAnsweredInRound >=  ETHXRoundID, "Stale price");  
  
require(ETHTimestamp != 0 && ETHXTimestamp != 0 ,"Round not complete");    

require(totalETHBalanceInInt > 0 && totalETHXSupplyInInt > 0,"Chainlink answer reporting 0");

Assessed type

Oracle

#0 - c4-judge
2023-06-09T23:24:55Z

Picodes marked the issue as duplicate of #15

#1 - c4-judge
2023-07-02T10:49:32Z

Picodes marked the issue as satisfactory

Stader Labs - erictee's results

Decentralized ETH liquid staking protocol with 4 ETH bond for anyone to be a node operator.

General Information

Findings Distribution

Researcher Performance

External Links

[M-14] CHAINLINK’S LATESTROUNDDATA MIGHT RETURN STALE OR INCORRECT RESULTS - $31.80

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Proof of Concept

Recommended Mitigation Steps

Assessed type

#0 - c4-judge2023-06-09T23:24:55Z

#1 - c4-judge2023-07-02T10:49:32Z

#0 - c4-judge
2023-06-09T23:24:55Z

#1 - c4-judge
2023-07-02T10:49:32Z