Lines of code
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/factory/VaultFactory.sol#L48-L60>
The address of the new contract depends solely on the _salt parameter, which is calculated from user-provided data. Once a userβs create transaction is broadcast, the parameters for calculating _salt can be viewed by anyone viewing the public mempool. This would result in an attacker being able to steal a share of the operatorβs reward and manipulate the distribution of the user and protocol reward.
Manual audit
Consider making the upcoming pool address a specific user by concatenating the salt value with the userβs address.
bytes32 salt = sha256(abi.encode(_poolId, _operatorId, _validatorCount, msg.sender));
Governance
The text was updated successfully, but these errors were encountered:
All reactions