returning wrong information for AccumulatedETH in GiantMevAndFeesPool.sol #320
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-160
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L91
Vulnerability details
Impact
The function is not used internally from any other contract, but can/will be used from bots or endusers to check the balance.
As the return value is always wrong when _stakingFundsVaults.length > 1 it is not usable for consumers.
Proof of Concept
accumulated is overwritten for every loop.
In the end accumulated is returned via
Recommended Mitigation Steps
Remove function, so users or bots can't use it if it's not important, or fix the accumulated to sum up correctly.
accumulated +=
The text was updated successfully, but these errors were encountered: