Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-03-WENWIN-FINDINGS-ISSUES-473
HistoryMar 09, 2023 - 12:00 a.m.

Risk of flashloan attacks in the Staking contract

2023-03-0900:00:00
Code4rena
github.com
5
flashloan
staking contract
rewardstoken
defi protocol
staking period
delay
exploitation
JSON

Lines of code
<https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L79-L89&gt;
<https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L103-L106&gt;
<https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L91-L101&gt;

Vulnerability details

Impact

An attacker can steal a large amount of rewardsToken from the Staking contract by using flashloans, thus all the users will receive less rewards for their staked amounts.

Proof of Concept

In the Staking contract any user can stake a given amount of stakingToken (which is the LOT token), and the user can immediately withdraw his staked amount as there is no staking period or delay implemented (per the protocol concepts), this introduce an attack surface which uses flashloans to steal large amount of rewardsToken from the Staking contract.

The attack scenario goes as follows :

  • The attacker takes a flashloan (from a Defi protocol like AAVE) and borrows a large amount of DAI token.

  • The attacker then exchanges the DAI amount for LOT tokens on the DEX used by the protocol.

  • Then the attacker stakes the LOT token amount he got in the Staking contract by calling the stake function.

  • The attacker calls the getReward() function to update his rewards balance, in the Staking contract the reward earned by a given user depends on his staked balance as it can be seen in the code below :

File: Staking.sol Line 61-63

function earned(address account) public view override returns (uint256 _earned) {
    return balanceOf(account) * (rewardPerToken() - userRewardPerTokenPaid[account]) / 1e18 + rewards[account];
}

So as the reward accrued is propotional to balanceOf(account) the attacker will get a large amount of rewards due to his large staked amount from the flashloan.

  • After the call to the getReward() function has transferred all the attacker rewards to his account, the attacker can now call the exit() or withdraw function to get back his staked LOT tokens, which he will exchange back to DAI to return the initial amount flashloaned (of course there are also some fees that must be paid).

The outcome of this attack is that the attacker has stole a large amount of rewardsToken from the Staking contract and all the users that have previously staked their tokens will receive a very small amount of rewards and potentially none if the attacker manages to drain almost all of them.

Tools Used

Manual review

Recommended Mitigation Steps

To avoid this issue i recommend to add a short delay between the moment a user stakes his funds and the moment he can withdraw them, this delay will ensure that the flashloans can not be used to steal the rewards funds.

Additionally this delay can be very short for example few minutes and will not go against the spirit of the protocol.

The text was updated successfully, but these errors were encountered:

All reactions

JSON