Stader Labs - kutugu's results

Decentralized ETH liquid staking protocol with 4 ETH bond for anyone to be a node operator.

General Information

Platform: Code4rena

Start Date: 02/06/2023

Pot Size: $100,000 USDC

Total HM: 15

Participants: 75

Period: 7 days

Judge: Picodes

Total Solo HM: 5

Id: 249

League: ETH

Stader Labs

Findings Distribution

Researcher Performance

Rank: 49/75

Findings: 1

Award: $31.80

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Stader Labs

Findings Information

🌟 Selected for report: Madalad

Also found by: Aymen0909, Bauchibred, Breeje, DadeKuma, Hama, LaScaloneta, Madalad, MohammedRizwan, bin2chen, dwward3n, erictee, etherhood, kutugu, peanuts, piyushshukla, rvierdiiev, saneryee, tallo, turvy_fuzz, whimints

Awards

31.7954 USDC - $31.80

Labels

bug

2 (Med Risk)

satisfactory

edited-by-warden

duplicate-15

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderOracle.sol#L646-L649

Vulnerability details

Impact

Not check the result's accuracy and freshness of the chainlink oracle, may use incorrect or stale price.

Proof of Concept

        (, int256 totalETHBalanceInInt, , , ) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy())
            .latestRoundData();
        (, int256 totalETHXSupplyInInt, , , ) = AggregatorV3Interface(staderConfig.getETHXSupplyPORFeedProxy())
            .latestRoundData();
        return (uint256(totalETHBalanceInInt), uint256(totalETHXSupplyInInt), block.number);

Zero value may be returned when the oracle goes down, no checking. Assuming totalETHBalanceInInt is less than 0, this will simply change to uint256, which causes an error.
Oracle may return stale result and the subsequent calculation value is stale and can be used.

Tools Used

Manual Review

Recommended Mitigation Steps

(uint80 roundID, int256 totalETHBalanceInInt, , uint256 timestamp, uint80 answeredInRound) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy()).latestRoundData();
require(totalETHBalanceInInt > 0, "totalETHBalanceInInt <= 0"); 
require(answeredInRound >= roundID, "Stale price");
require(timestamp != 0, "Round not complete");

Assessed type

Oracle

#0 - c4-judge
2023-06-09T23:25:45Z

Picodes marked the issue as duplicate of #15

#1 - c4-judge
2023-07-02T10:49:58Z

Picodes marked the issue as satisfactory

Stader Labs - kutugu's results

Decentralized ETH liquid staking protocol with 4 ETH bond for anyone to be a node operator.

General Information

Findings Distribution

Researcher Performance

External Links

[M-14] latestRoundData not check result accuracy and freshness - $31.80

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-judge2023-06-09T23:25:45Z

#1 - c4-judge2023-07-02T10:49:58Z

#0 - c4-judge
2023-06-09T23:25:45Z

#1 - c4-judge
2023-07-02T10:49:58Z