Ethena Labs - ziyou-'s results

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDeV2.sol#L95-L106 https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDeV2.sol#L111-L122

Vulnerability details

Impact

Due to improper invocation of the cooldownAssets function and cooldownShares function, previously cooled assets are being re-cooled.

Proof of Concept

Here are the translations of the two scenarios:

(1) When users invoke the cooldownAssets function and cooldownShares function but fail to promptly call the unstake function to withdraw their assets, the assets will be re-cooled.

(2) When users invoke the cooldownAssets function and cooldownShares function, if there are existing assets in the cooldown period, the previous cooldown time will be invalidated. Regardless of whether they are old or new assets, the latest cooldown deadline will be considered.

function cooldownShares(uint256 shares, address owner) external ensureCooldownOn returns (uint256) { if (shares > maxRedeem(owner)) revert ExcessiveRedeemAmount();

uint256 assets = previewRedeem(shares);

@ cooldowns[owner].cooldownEnd = uint104(block.timestamp) + cooldownDuration; cooldowns[owner].underlyingAmount += assets;

_withdraw(_msgSender(), address(silo), owner, assets, shares);

return assets;

}

function cooldownAssets(uint256 assets, address owner) external ensureCooldownOn returns (uint256) { if (assets > maxWithdraw(owner)) revert ExcessiveWithdrawAmount();

uint256 shares = previewWithdraw(assets);

@ cooldowns[owner].cooldownEnd = uint104(block.timestamp) + cooldownDuration; cooldowns[owner].underlyingAmount += assets;

_withdraw(_msgSender(), address(silo), owner, assets, shares);

return shares;

}

Tools Used

vs

Recommended Mitigation Steps

Make appropriate modifications to the problem

Assessed type

Context