StakingFundsVault token transfer causes vault DOS and orphaned rewards for token sender. #179
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-178
edited-by-warden
nullified
Issue is high quality, but not accepted
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/StakingFundsVault.sol#L343-L351
Vulnerability details
Impact
StakingFundsVault's afterTokenTransfer() does not update claimed[] on the from side of the token transfer. This can result in a claimed[] value that is too high for the new (lower) number of tokens held on that side. It can result in DOS when the user tries to access the vault in a way that calls _distributeETHRewardsToUserForToken() which includes transferring tokens or claiming rewards. (This function will underflow when subtracting claimed[].) The overstated claimed[] value can also cause rewards due to the user to be orphaned in the vault.
Proof of Concept
The POC demonstrates how transferring StakingFundsVault tokens causes dos accessing the vault, including when attempting further token transfers. And then shows how future rewards can be orphaned.
The POC patch includes a temp fix for the claimed[] calculation in _distributeETHRewardsToUserForToken() to demonstrate that this is a separate issu.
Test
Patch
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps
Correctly set claimed[] when transferring away StakingFundsVault tokens. Alternatively, consider tracking claimed[] on a per share rather than an absolute basis.
The text was updated successfully, but these errors were encountered: