GiantMevAndFeesPool.withdrawETH distributes too many rewards #239
Comments
code423n4
added
3 (High Risk)
|
dmvt marked the issue as duplicate of #140 |
|
dmvt marked the issue as not a duplicate |
|
dmvt marked the issue as duplicate of #146 |
|
dmvt marked the issue as not a duplicate |
|
dmvt marked the issue as duplicate of #129 |
|
dmvt marked the issue as not a duplicate |
|
dmvt marked the issue as duplicate of #129 |
|
dmvt marked the issue as partial-25 |
c4-judge
added
the
partial-25
|
dmvt marked the issue as satisfactory |
c4-judge
added
the
satisfactory
|
There are three other channels involved in this conversation. Individual issues are not the correct place to debate. I am engaging you in those channels and having a conversation with the organization regarding your concerns. Please stop repeating yourself on individual issues in this repo. |
|
Let's say there are 10 lpTokenETH in the contract (idleETH = 10) and 3 ETH in rewards. User A has 5 lpTokenETH and User B has 1 lpTokenETH User A calls the withdrawETH function to withdraw the staked ETH and the reward, he should have received 5 staked ETH and (13-10) / 10 * 5 =1.5 ETH of the reward. And User B will revert when exiting the pool due to the overflow in the _updateAccumulatedETHPerLP function function totalRewardsReceived() public view override returns (uint256) {
return address(this).balance + totalClaimed - idleETH; // @auidt: (13-5-4) + 4 - (5-1) = 4
}
...
function _updateAccumulatedETHPerLP(uint256 _numOfShares) internal {
if (_numOfShares > 0) {
uint256 received = totalRewardsReceived();
uint256 unprocessed = received - totalETHSeen; // @auidt: 4 - 8 revertThis results in more rewards for user A and losses for later users |
c4-judge
removed
the
partial-25
|
dmvt marked the issue as full credit |
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantPoolBase.sol#L52-L64
Vulnerability details
Impact
GiantMevAndFeesPool.withdrawETH will reduce the value of idleETH before burning GaintLP.
GaintLP.burn will call GiantMevAndFeesPool.beforeTokenTransfer and call updateAccumulatedETHPerLP to calculate accumulatedETHPerLPShare.
Decreasing the value of idleETH before burning GaintLP will cause totalRewardsReceived to increase and accumulatedETHPerLPShare to increase, i.e. treating the ETH deposited by the user as rewards, resulting in distributing too many rewards to the user.
Proof of Concept
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantPoolBase.sol#L52-L64
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L176-L178
Tools Used
None
Recommended Mitigation Steps
Change to
function withdrawETH(uint256 _amount) external nonReentrant { require(_amount >= MIN_STAKING_AMOUNT, "Invalid amount"); require(lpTokenETH.balanceOf(msg.sender) >= _amount, "Invalid balance"); require(idleETH >= _amount, "Come back later or withdraw less ETH"); - idleETH -= _amount; lpTokenETH.burn(msg.sender, _amount); + idleETH -= _amount; (bool success,) = msg.sender.call{value: _amount}(""); require(success, "Failed to transfer ETH"); emit LPBurnedForETH(msg.sender, _amount); }The text was updated successfully, but these errors were encountered: