Attacker can grift syndicate staking by staking a small amount #146
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-12
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/a0558ed7b12e1ace1fe5c07970c7fc07eb00eebd/contracts/liquid-staking/LiquidStakingManager.sol#L882
https://github.com/code-423n4/2022-11-stakehouse/blob/23c3cf65975cada7fd2255a141b359a6b31c2f9c/contracts/syndicate/Syndicate.sol#L22
Vulnerability details
Impact
LiquidStakingManager._autoStakeWithSyndicate
always stakes a fixed amount of 12 ETH. However,Syndicate.stake
only allows a total staking amount of 12 ETH and reverts otherwise:An attacker can abuse this and front-run calls to
mintDerivatives
(which call_autoStakeWithSyndicate
internally). BecauseSyndicate.stake
can be called by everyone, he can stake the minimum amount (1 gwei) such that themintDerivatives
call fails.Proof Of Concept
As soon as there is a
mintDerivatives
call in the mempool, an attacker (that owns sETH) callsSyndicate.stake
with an amount of 1 gwei._autoStakeWithSyndicate
will still callSyndicate.stake
with 12 ether. However,_sETHAmount + totalStaked > 12 ether
will then be true, meaning that the call will revert.Recommended Mitigation Steps
Only allow staking through the LiquidStakingManager, i.e. add access control to
Syndicate.stake
.The text was updated successfully, but these errors were encountered: