Back to satoshipotato's contests

LSD Network - Stakehouse contest - satoshipotato's results

A permissionless 3 pool liquid staking solution for Ethereum.

General Information

Platform: Code4rena

Start Date: 11/11/2022

Pot Size: $90,500 USDC

Total HM: 52

Participants: 92

Period: 7 days

Judge: LSDan

Total Solo HM: 20

Id: 182

League: ETH

Stakehouse Protocol

Findings Distribution

Researcher Performance

Rank: 90/92

Findings: 1

Award: $5.60

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryStakehouse Protocol

Findings Information

🌟 Selected for report: Jeiwan

Also found by: 0xdeadbeef0x, 9svR6w, JTJabba, Lambda, Trust, arcoun, banky, bin2chen, bitbopper, c7e7eff, clems4ever, datapunk, fs0c, hihen, imare, immeas, perseverancesuccess, ronnyx2017, satoshipotato, unforgiven, wait

Awards

5.596 USDC - $5.60

Labels

bug
3 (High Risk)
partial-50
satisfactory
duplicate-251

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L29 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L50 https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L55

Vulnerability details

Impact

Hacker may deploy a fake SavETHVault which siphons funds to his address on any deposit. Users deposits may be irretrievably lost.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. The function batchDepositETHForStaking is publicly callable with unchecked _savETHVaults addresses: https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L29

Hacker can deploy a copy of a SavETHVault which bypasses the check on line 50 in GiantSavETHVaultPool.sol by setting the liquidStakingManager variable in SavETHVault to a valid liquidStakingManager address: https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L50 and bait users to deposit in his SavETHVault using batchDepositETHForStaking. The malicious contract may directly transfer the ETH to the hacker's address on the savETHPool.batchDepositETHForStaking call on line 55: https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L55 and thus drain an innocent user's ETH.

Tools Used

Slither, Forge, VS Code Solidity Plugin

Add a mapping (address => bool) isValidSavETHVault in SavETHVaultDeployer, which returns true for the SavETHVault addresses which have been deployed using SavETHVaultDeployer and a function isValidSavETHVault in LSDNFactory, which returns true if the SavETHVault has been deployed using SavETHVaultDeployer. Then, in GiantSavETHVaultPool.sol add a require:

require(
                liquidStakingDerivativeFactory.isValidSavETHVault(address(savETHPool)),
                "Invalid savETHPool"
            );

#0 - c4-judge

2022-11-21T12:33:50Z

dmvt marked the issue as duplicate of #36

#1 - c4-judge

2022-11-29T15:37:58Z

dmvt marked the issue as partial-50

#2 - c4-judge

2022-11-29T15:38:06Z

dmvt marked the issue as satisfactory

#3 - C4-Staff

2022-12-21T05:40:16Z

JeeberC4 marked the issue as duplicate of #36

#4 - liveactionllama

2022-12-22T08:46:32Z

Duplicate of #251

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter