batchDepositETHForStaking() malicious parameter to steal ETH #282
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-251
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L48-L52
Vulnerability details
Impact
GiantSavETHVaultPool#batchDepositETHForStaking() and GiantMevAndFeesPool#batchDepositETHForStaking()
No detection of _stakingFundsVault is legal, you can pass malicious _savETHVaults to steal ETH
Proof of Concept
The security check of #batchDepositETHForStaking() only detects the incoming parameters calling _savETHVaults[i].liquidStakingManager()
We can pass in a malicious contract, which has the method liquidStakingManager() to return a normal LiquidStakingManager contract address to pass the security check
Malicious contracts such as:
Note: GiantMevAndFeesPool#batchDepositETHForStaking() has the same problem.
Tools Used
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: