Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-11-STAKEHOUSE-FINDINGS-ISSUES-361
HistoryNov 18, 2022 - 12:00 a.m.

batchDepositETHForStaking in GiantSavETHVaultPool.sol can be ticked to steal all ETH in the pool

2022-11-1800:00:00
Code4rena
github.com
2
vulnerability
eth theft
fake contract.
JSON

Lines of code

Vulnerability details

Impact

All Eth can be drained by fake vault addresses.
<https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L29&gt;

Proof of Concept

In batchDepositETHForStaking, _savETHVault is checked for its validity through

SavETHVault savETHPool = SavETHVault(_savETHVaults[i]); 
require(
    liquidStakingDerivativeFactory.isLiquidStakingManager(address(savETHPool.liquidStakingManager())),
    "Invalid liquid staking manager"
);

However, an attacker can create a fake contract that retuns a correct liquidStakingNetworkManager, thus passing the check easily.
After the check, any ETH in the pool will be sent to an address this fake contract provide:

savETHPool.batchDepositETHForStaking{ value: transactionAmount }(
    _blsPublicKeys[i],
    _stakeAmounts[i]
);

Tools Used

manual

Recommended Mitigation Steps

Always passing liquid staking manager address, checking its real and then requesting either the savETH vault or staking funds vault is a good idea rather than other way around from a giant pool perspective.

The text was updated successfully, but these errors were encountered:

All reactions

JSON