Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-STADER-FINDINGS-ISSUES-395
HistoryJun 09, 2023 - 12:00 a.m.

The utilization of a hardcoded time value is incorrect when deployed to blockchains other than Ethereum

2023-06-0900:00:00
Code4rena
github.com
1
hardcoded time
blockchain deployment
vulnerability
JSON

Lines of code
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L26&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L70-L73&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L22&gt;

[Vulnerability details

Medium](https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L57)
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L26&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L70-L73&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L22&gt;

Title: The utilization of a hardcoded time value is incorrect when deployed to blockchains other than Ethereum

Impact

The hardcoded value of the MIN_AUCTION_DURATION constant in the Auction contract becomes problematic
when deploying the contracts on faster blockchains like Polygon and Binance Smart Chain.
Due to the shorter block times on these blockchains, the intended 24-hour auction duration is reduced significantly.

For instance, Binance Smart Chainโ€™s 3-second block time is a quarter of Ethereumโ€™s block time.
Consequently, the MIN_AUCTION_DURATION value of 7200, meant to represent 24 hours on Ethereum,
translates to only around 6.5 hours on Binance Smart Chain.

This discrepancy in auction durations across blockchains opens up arbitrage opportunities,
as different auction lengths affect the outcomes.

The same hardcoded value is used inside Auction, StaderOrcale and StaderStakePoolsManager.

Inside StaderStakePoolsManager, the presence of a shorter deposit cooldown period introduces a vulnerability
that allows users to deposit significantly more funds into a pool than originally intended.

Proof of Concept

Stader should be deployed on different chains.
(ref. <https://blog.staderlabs.com/ethx-deposits-bda0f62d8ed8&gt;)

Auction uses hardcoded time for MIN_AUCTION_DURATION, and calculates the auction duration with this value.

uint256 public constant MIN_AUCTION_DURATION = 7200; // 24 hours
duration = 2 * MIN_AUCTION_DURATION;

The intended min duration of 24h will not apply on other chains then ethereum.

<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L38&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L22&gt;

StaderStakePoolsManager initializes the contract with excessETHDepositCoolDown = 3 * 7200.

<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L57&gt;

StaderOracle set the max er update frequency to 7 days. This will only work for ethereum.

uint256 public constant MAX_ER_UPDATE_FREQUENCY = 7200 * 7; // 7 days

<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L26&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L70-L73&gt;
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L22&gt;

Recommended Mitigation Steps

Add a variable โ€œblocksInDayโ€, which can be set inside the constructor.

uint256 blocksInDay = 7200; //use 7200 for ethereum mainnet

constructor(_blocksInDay){
  blocksInDay = _blocksInDay;
}

Assessed type

Timing

The text was updated successfully, but these errors were encountered:

All reactions

JSON