Lines of code
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L29>
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L42>
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L56>
-Since the initialise function is missing initializer modifier (as itβs inteded to be not protected as per ETHx smart contract functions documentation <https://docs.google.com/spreadsheets/d/1IjJ5z9oi9I-ejdRCitJsTT1on0WwjoKlbvurCtlB1KA/edit#gid=643619608>),
And Since VaultFactory contract doesnβt initialize the VaultProxy upon its initialization function directly but rather using a separate functions deployWithdrawVault & deployNodeELRewardVault which are protected by onlyRole(NODE_REGISTRY_CONTRACT) modifier,
Then any attacker can initilize the VaultProxy contract with a malicious _staderConfig address that has a malicious suicidal ValidatorWithdrawalVaultImplementation address or NodeELRewardVaultImplementation address with a fallback with a selfdestruct function as per the code below:
contract MaliciousValidatorWithdrawalVaultImplementation {
fallback() external {
selfdestruct(payable(0));
}
}
The destruction of the implementation ValutProxy contract would result in the freezing of all the functionalities that point to such an implementation.
Instances: 1
File: 2023-06-stader/contracts/VaultProxy.sol
Line 20: function initialise(
File: 2023-06-stader/contracts/factory/VaultFactory.sol
Line 29: vaultProxyImplementation = address(new VaultProxy());
Line 42: VaultProxy(payable(withdrawVaultAddress)).initialise(true, _poolId, _validatorId, address(staderConfig));
Line 56: VaultProxy(payable(nodeELRewardVaultAddress)).initialise(false, _poolId, _operatorId, address(staderConfig));
Manual Testing.
Protect initialise function in VaultProxy contract by initializer modifier provided by openzeppilin AccessControlUpgradeable library.
Access Control
The text was updated successfully, but these errors were encountered:
All reactions