batchDepositETHForStaking
in GiantSavETHVaultPool.sol
can be ticked to steal all ETH in the pool
#361
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-251
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L29
Vulnerability details
Impact
All Eth can be drained by fake vault addresses.
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L29
Proof of Concept
In
batchDepositETHForStaking
,_savETHVault
is checked for its validity throughHowever, an attacker can create a fake contract that retuns a correct
liquidStakingNetworkManager
, thus passing the check easily.After the check, any ETH in the pool will be sent to an address this fake contract provide:
Tools Used
manual
Recommended Mitigation Steps
Always passing liquid staking manager address, checking its real and then requesting either the savETH vault or staking funds vault is a good idea rather than other way around from a giant pool perspective.
The text was updated successfully, but these errors were encountered: