cancelUnstake lack payoutRewards before mint shares #10
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-09
primary issue
Highest quality submission among a set of duplicates
rainout
Used to specify findings that came in during the rained-out audit
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/StRSR.sol#L341-L380
Vulnerability details
cancelUnstake
will cancel the withdrawal request in the queue can mint shares as the currentstakeRate
. But it doesn'tpayoutRewards
beforemintStakes
. Therefor it will mint stRsr as a lower rate, which means it will get more rsr.Impact
Withdrawers in the unstake queue can
cancelUnstake
without callingpayoutRewards
to get more rsr rewards that should not belong to them.Proof of Concept
POC test/ZZStRSR.test.ts git patch
The test simulates two users unstake and cancelUnstake operations at the same time.But the addr2 calls payoutRewards after his cancelUnstake. And addr3 calls cancelUnstake after payoutRewards. Addr2 gets more rsr than addr3 in the end.
run test:
log:
Tools Used
Manual review
Recommended Mitigation Steps
Call
_payoutRewards
before mint shares.Assessed type
Math
The text was updated successfully, but these errors were encountered: