glider_StakedUSDeV2

StakedUSDeV2 Uninitialized Role Variable PoC Vulnerability...

The staker could silently lose all their previously deposited assets when revert TokenTransferFailed() is called

Lines of code Vulnerability details Impact The staker could silently lose all their deposited assets in the NodeDelegator.sol function when they time to transfer their assets. This could happen when the staker owns assets in the Eigen but it is not enough to be transferred when the calculated...

SOFT_RESTRICTED_STAKER_ROLE is able to withdraw stUSDe for USDe even if it shouldnt

Lines of code Vulnerability details As the readme mentions, SOFTRESTRICTEDSTAKERROLE shouldnt be able to deposit or withdraw their USDe/stUSDe: Due to legal requirements, there's a SOFTRESTRICTEDSTAKERROLE and FULLRESTRICTEDSTAKERROLE. The former is for addresses based in countries we are not...

M-05 Unmitigated

Lines of code code-423n4/2023-05-xeth@aebc324L230 Vulnerability details If wxETH drips when nothing is staked, then the first staker can claim every drop. Mitigation code-423n4/2023-05-xeth@aebc324 This PR is added in the method accrueDrip to return if totalSupply == 0 to avoid dropping at 0. But...

Virgin stake can claim all drops

Lines of code Vulnerability details Impact If wxETH drips when nothing is staked, then the first staker can claim every drop. Proof of Concept Suppose drip is enabled when totalSupply == 0. At least one block passes and the first staker stakes, just 1 xETH is enough. This mints her 1 wxETH. This...

_transferAjnaRewards doesn't save the remaining rewards of a staker for the next transfer

Lines of code Vulnerability details Impact Staker will earn less than expected Proof of Concept On claimRewards function at transferAjnaRewards is being called to claim rewardsEarned for staker according to the tokenId, the issue here drop at if rewardsEarned ajnaBalance rewardsEarned =...

Strategy owner can steal staker funds.

Lines of code Vulnerability details Impact The functions StrategyManager.depositIntoStrategy and StrategyManager.depositIntoStrategyWithSignature doesn't check if the msg.sender != strategy. Hence, a strategy owner can deposit into his own strategy and specify the staker to his own EOA account, a...

Depositors risk losing funds through StrategyManager.depositIntoStrategyWithSignature()

Lines of code Vulnerability details Impact The StrategyManager contract has two functions for depositing funds into Strategy contracts, one of them is depositIntoStrategyWithSignature which allows the caller to make a deposit and the new shares are credited to a specified staker. If the staker...

A staker with verified over-commitment can potentially bypass slashing completely

Lines of code Vulnerability details Description In EigenLayer, watchers submit over-commitment proof in the event a staker's balance on the Beacon chain falls below the minimum restaked amount per validator. In such a scenario, stakers’ shares are decreased by the restaked amount. Note that when ...

Staker can bypass the debt accrued via beaconChainETHSharesToDecrementOnWithdrawal by transferring shares to another address

Lines of code Vulnerability details Description When a staker is verified to have over-committed and the over-committed amount is greater than their outstanding shares, they accrue a debt that is captured by beaconChainETHSharesToDecrementOnWithdrawal. This debt eventually gets settled when the...

Staker can avoid ETH slash by front run slashQueuedWithdrawal() with completeQueuedWithdrawal()

Lines of code Vulnerability details Impact Malicious staker can avoid the service's slash on its restaked ETH shares. Proof of Concept This issue is similar to Staker can avoid ETH slash by front run slashShares with verifyOvercommittedStake, but with a different logic. When a service/middleware...

Skipping indices of malicious strategies does not work

Lines of code Vulnerability details Impact In src/contracts/core/StrategyManager.solL536 parameter indicesToSkip per documentation: """exists so that, e.g., if the slashed QueuedWithdrawal contains a malicious strategy in the strategies array which always reverts on calls to its 'withdraw'...

A staker might be still be able to stake after staking is over.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. A staker might be still be able to stake after staking is over. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrate...

Incorrect validation of the result of the transfer * transferFrom method call. Failure to comply with the ERC20 standard

Lines of code Vulnerability details Impact Inability to use ERC20 standard tokens. As an example of the future LP token Proof of Concept According to the ERC-20 standard, the transfer and transferFrom methods return true or false, but looking at the code we see that:...

# configureLP function should check LP stakers present before changing LP address.

Lines of code Vulnerability details configureLP function should check LP stakers existence before changing LP address. Permitted users are allowed to change LP address when lpLocked is false. So this does not follow the comments above. Proof of concept 1701 This function allows a permitted user t...

Unspent RSR can be stolen

Lines of code Vulnerability details Impact The BackingManager.handoutExcessAssets function sends all rsr that the BackingManager holds to the StRSR contract. This is done so that the rsr which is held by the BackingManager due to seizure from the StRSR contract can be sent back entirely to the...

Mitigation Confirmed for Mitigation of H-06 Issue mitigated

C4 issue H-06: MinipoolManager: node operator can avoid being slashed Comments In the original implementation, there were a few scenarios where malicious node operators can avoid being slashed. Mitigation PR 41 This PR includes mitigation for various issues H-03, H-06, M-13. Just focusing on the...

THE FIRST AMM STAKER MAY NOT RECEIVE ACCORDING REWARDS BECAUSE OF POOR CHECKPOINTS

Lines of code Vulnerability details Impact The first staker within the AmmGauge may not get the rewards if the pool is not checkpointed right after he stakes and before he wants to claim the rewards. Proof of Concept A testing environment that reproduces how the protocol is going to be deployed a...

Lack of safeApprove(0) prevents some registrations, and the changing of stakers and LP tokens

Lines of code Vulnerability details OpenZeppelin's safeApprove will revert if the account already is approved and the new safeApprove is done with a non-zero value function safeApprove IERC20 token, address spender, uint256 value internal // safeApprove should only be called when setting an initi...

Users Can Frontrun Token Distributions Using Flashloans

Lines of code Vulnerability details Impact The collector suite of contracts will actively send ANC token distributions to staked ANC token holders. However, because it is known beforehand that a distribution will be made to the governance contract, users can abuse this to frontrun distributions b...