3 matches found
The admin address used in initialize function, can behave maliciously
Lines of code Vulnerability details N.B : This bug is different that the other one titled "Risk of losing admin access if updateAdmin set with same current admin address". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliat...
Both consensus layer rewards and "32 bonded ETH" will be distributed via ValidatorWithdrawalVault.distributeRewards() as rewards
Lines of code Vulnerability details Impact totalRewards can be a value than staderConfig.getRewardsThreshold in ValidatorWithdrawalVault.distributeRewards. As a result both ETH balances belonging to rewards and staked ETH will be distributed. Proof of Concept Both consensus layer rewards and "32...
accountsMap[ADMIN] not set in initialize function of StaderConfig contract
Lines of code Vulnerability details Impact When initializing the StaderConfig contract with the initialize function, the admin address is not set in accountsMapADMIN variable, so the getAdmin function will return address0. This will cause the loss of the ownership of the VaultProxy contract as it...