Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-STADER-FINDINGS-ISSUES-351
HistoryJun 09, 2023 - 12:00 a.m.

Exchange rate is stale for deposit to calculate shares

2023-06-0900:00:00
Code4rena
github.com
3
stale exchange rate
vulnerability impact
mev
profit mechanism
oracle consultation
eth balance update
JSON

Lines of code
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/ValidatorWithdrawalVault.sol#L77&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/NodeELRewardVault.sol#L36&gt;

Vulnerability details

Impact

The attacker can take profit with the delayed exchange rate updating mechanism.
He can deposit to the protocol to take a share of large mev reward generated by the protocol before the exchange rate update.

Proof of Concept

The getExchangeRate() function is called to calculate the shares minted to depositor. The getExchangeRate() function consults StaderOracle for two storage variables totalETHXSupply and totalETHBalance.

The totalETHBalance can be stale because the real total balance can be updated by NodeELRewardVault and ValidatorWithdrawalVault at random blocks.

The attacker can deposit to take profit when he sees a stale totalETHBalance.

Tools Used

Manual review.

Recommended Mitigation Steps

Additionally, consulting the NodeELRewardVault and ValidatorWithdrawalVault balance for a more seasonable total eth balance.
Record eth change in function receiveExecutionLayerRewards and receiveWithdrawVaultUserShare.

Assessed type

MEV

The text was updated successfully, but these errors were encountered:

All reactions

JSON