Livepeer contest - hyh's results

Handle

hyh

Vulnerability details

Impact

Currently claimStake will fail with low level insufficient funds error if enough balance to cover L1 Delegator fee wasn't transferred to the contract beforehand. It has to be done in a separate call as claimStake isn't payable

Proof of Concept

claimStake now assumes that there is enough ETH balance in place for the L1 Delegator _fees transfer:

https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L2/gateway/L2Migrator.sol#L297

Also, the only payable function of the contract is the default receive():

https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L2/gateway/L2Migrator.sol#L235

This way the only operable scenario is to send the fee beforehand and then call claimStake

Recommended Mitigation Steps

Consider checking the balance to ensure that the _fees can be actually sent and fail with an explanation otherwise. Also, it looks like claimStake can be made payable and the need for default payable receive() to be examined afterwards

Handle

hyh

Vulnerability details

Impact

Gas is overspent on calculations and checks

Proof of Concept

(initialStake - claimedInitialStake) figure is calculated after require check, so the subtraction itself can be unchecked. Also, it is done twice now, can save the result to memory and use it.

https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L2/pool/DelegatorPool.sol#L73

Recommended Mitigation Steps

Consider calculating (initialStake - claimedInitialStake) one time and in unchecked scope.

Handle

hyh

Vulnerability details

Impact

Gas is overspent on the calls

Proof of Concept

withdrawETHToL1Migrator calls 'address(this).balance' twice:

https://github.com/livepeer/protocol/blob/20e7ebb86cdb4fe9285bf5fea02eb603e5d48805/contracts/token/BridgeMinter.sol#L90

Recommended Mitigation Steps

Use 'balance' variable instead of second call