User can withdraw more rewards than expected due to a miscalculation of the claimed
array
#300
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-147
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L63
Vulnerability details
Impact
In the
_distributeETHRewardsToUserForToken()
function, theclaimed
array is updated with the claimed rewards of each user. This array is also used to calculate how much awards a user can withdraw.There is an error when the array is updated: instead of increasing the value with the withdrawn awards (
due
), the value is replaced with the withdrawn awards (due
). The new value will then be lower than the expected one, allowing a user to withdraw more than due by withdrawing several times.The issue can also prevent a user to interact with the contract and withdraw his own assets because
_distributeETHRewardsToUserForToken()
will revert if the calculateddue
is higher than the ETH balance in the contract.Proof of Concept
Proof of concept using
GiantMevAndFeesPool.claimRewards()
but other paths are available.lpTokenETH
balance on theGiantMevAndFeesPool
contract, allowing him to withdraw awardsclaimRewards()
function on theGiantMevAndFeesPool
contract with the following parameters:_recipient
: user's address_stakingFundsVaults
: array with at least one available stacking fund. Note that the user can also provide an alternate contract which does not revert onclaimRewards(address,bytes[])
as there is no verification here_blsPublicKeysForKnots
: related BLS keys (if using an available stacking fund)claimed[user][lpTokenEth]
is now set to a lower value than expectedclaimRewards()
at a later time, due rewards will be miscalculated and be higher than expected_distributeETHRewardsToUserForToken()
is called at other places in the contract, this will prevent the user to do some actions like withdrawing his own assetsTools Used
Manual review.
Recommended Mitigation Steps
Fix the
_distributeETHRewardsToUserForToken()
function to increaseclaimed[_user][_token]
withdue
instead of updating it withdue
.The text was updated successfully, but these errors were encountered: