All Eth can be drained by fake vault addresses.
<https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantSavETHVaultPool.sol#L29>
In batchDepositETHForStaking, _savETHVault is checked for its validity through
SavETHVault savETHPool = SavETHVault(_savETHVaults[i]);
require(
liquidStakingDerivativeFactory.isLiquidStakingManager(address(savETHPool.liquidStakingManager())),
"Invalid liquid staking manager"
);
However, an attacker can create a fake contract that retuns a correct liquidStakingNetworkManager, thus passing the check easily.
After the check, any ETH in the pool will be sent to an address this fake contract provide:
savETHPool.batchDepositETHForStaking{ value: transactionAmount }(
_blsPublicKeys[i],
_stakeAmounts[i]
);
manual
Always passing liquid staking manager address, checking its real and then requesting either the savETH vault or staking funds vault is a good idea rather than other way around from a giant pool perspective.
The text was updated successfully, but these errors were encountered:
All reactions