Lack of approval on withdrawal requests can be abused #224
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-140
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/UserWithdrawalManager.sol#L101-L103
Vulnerability details
Impact
Any user can submit withdrawal requests on behalf of other users, but there isn't an approval system. This can be abused to DoS specific users, as there are multiple checks on how many request a user can make.
Proof of Concept
Any user can submit a withdrawal request on behalf of other users, this is the function used to make new requests:
There is a hard limit on how many requests a user can make:
Bob may decide to "donate" their funds by making
maxNonRedeemedUserRequestCount
small withdrawal requests to Alice: as a consequence, Alice can't make new withdrawal requests to herself, as her transactions would exceed the max.Alice is effectively under DoS until Bob decides to stop making new requests, as Alice's requests can be easily front-run.
Tools Used
Manual review
Recommended Mitigation Steps
Consider modifying the function so that requests are under the requester address:
Assessed type
Access Control
The text was updated successfully, but these errors were encountered: