Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-LYBRA-FINDINGS-ISSUES-990
HistoryJul 03, 2023 - 12:00 a.m.

flashloan stealing staking reward

2023-07-0300:00:00
Code4rena
github.com
9
flashloan manipulation
staking rewards
balance calculation
vulnerability mitigation
token transfer
JSON

Lines of code

Vulnerability details

Impact

The report reveals a vulnerability where a flashloan can be used to steal staking rewards. The provided proof of concept demonstrates the issue, where a user can take advantage of the earned rewards calculation using the spot balance. By flashloaning a large amount of tokens, staking them, and immediately withdrawing, the user can unfairly claim a significant portion of the staking rewards.

Proof of Concept

function stake(uint256 _amount) external updateReward(msg.sender) {
    require(_amount > 0, "amount = 0");
    bool success = stakingToken.transferFrom(msg.sender, address(this), _amount);
    require(success, "TF");
    balanceOf[msg.sender] += _amount;
    totalSupply += _amount;
    emit StakeToken(msg.sender, _amount, block.timestamp);
}

function withdraw(uint256 _amount) external updateReward(msg.sender) {
    require(_amount > 0, "amount = 0");
    balanceOf[msg.sender] -= _amount;
    totalSupply -= _amount;
    stakingToken.transfer(msg.sender, _amount);
    emit WithdrawToken(msg.sender, _amount, block.timestamp);
}

modifier updateReward(address _account) {
    rewardPerTokenStored = rewardPerToken();
    updatedAt = lastTimeRewardApplicable();

    if (_account != address(0)) {
        rewards[_account] = earned(_account);
        userRewardPerTokenPaid[_account] = rewardPerTokenStored;
        userUpdatedAt[_account] = block.timestamp;
    }
    _;
}

function earned(address _account) public view returns (uint256) {
    return ((balanceOf[_account] * getBoost(_account) * (rewardPerToken() - userRewardPerTokenPaid[_account])) / 1e38) + rewards[_account];
}

The vulnerability stems from the fact that the earned function calculates rewards based on the user’s balance (balanceOf). By flashloaning a significant amount of tokens, staking them, and immediately withdrawing, users can manipulate the balance and claim a higher portion of the staking rewards than they should be entitled to.

Tools Used

Manual Review

Recommended Mitigation Steps

To address this vulnerability, it is recommended to avoid using the spot balance (balanceOf) to calculate rewards. Instead, consider using a different approach that mitigates the risk of flashloan-based manipulation. By employing alternative methods to calculate rewards that are not affected by flashloaned tokens, the vulnerability can be effectively mitigated.

Assessed type

Token-Transfer

The text was updated successfully, but these errors were encountered:

All reactions

JSON