function withdrawETH from GiantMevAndFeesPool can steal most of eth because of idleETH is reduced before burning token #129
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
edited-by-warden
H-08
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/GiantPoolBase.sol#L57-L60
https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/GiantMevAndFeesPool.sol#L176-L178
https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L76-L90
Vulnerability details
Impact
The contract GiantMevAndFeesPool override the function totalRewardsReceived:
The function totalRewardsReceived is used as the current rewards balance to caculate the unprocessed rewards in the function
SyndicateRewardsProcessor._updateAccumulatedETHPerLP
But it will decrease the
idleETH
first and then burn the lpTokenETH in the functionGiantMevAndFeesPool.withdrawETH
. The lpTokenETH burn option will triggerGiantMevAndFeesPool.beforeTokenTransfer
which will call _updateAccumulatedETHPerLP and send the accumulated rewards to the msg sender. Because of the diminution of the idleETH, theaccumulatedETHPerLPShare
is added out of thin air. So the attacker can steal more eth from the GiantMevAndFeesPool.Proof of Concept
I wrote a test file for proof, but there is another bug/vulnerability which will make the
GiantMevAndFeesPool.withdrawETH
function break down. I submitted it as the other finding named "GiantLP with a transferHookProcessor cant be burned, users' funds will be stuck in the Giant Pool". You should fix it first by modifying the code https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/GiantMevAndFeesPool.sol#L161-L166 to :I know modifying the project source code is controversial. Please believe me it's a bug needed to be fixed and it's independent of the current vulnerability.
test:
test/foundry/TakeFromGiantPools2.t.sol
run test:
test log:
The attacker stole 2 eth from the pool.
Tools Used
foundry
Recommended Mitigation Steps
idleETH -= _amount;
should be after thelpTokenETH.burn
.The text was updated successfully, but these errors were encountered: