Malicious Users Can Increase Their WETH Staking Rewards Using `Fees.sellProfits()`
Summary
The Fees.sellProfits() function can be exploited by malicious users to increase their WETH rewards before calling the Staking.claim() function. By iterating over tokens possessed by the Fees.sol contract and selling them for WETH, the Staking contract's WETH balance is boosted, leading to higher rewards upon claiming. This manipulation allows users to receive more rewards than intended, affecting the protocol and other users negatively.
Vulnerability Details
The Staking contract rewards users based on their share in the "staking pool" and the current WETH balance. The Fees.sol contract automatically receives all profits made by the protocol in different tokens from the Lender.sol contract. The Fees.sellProfits(address _profits) function, being public and lacking access control, sells the contract's token balances for WETH and directly sends the WETH to the Staking.sol contract. Malicious users exploit this by selling tokens before calling Staking.claim(), resulting in increased WETH rewards.
Impact
The vulnerability allows users to unfairly gain more rewards than they should, disrupting the reward distribution intended for the protocol and other users.
Tools Used
VSCode
Recommendations
To mitigate this issue, two solutions can be employed:
-
Add access control to
Fees.sellProfits(address _profits)so only a trusted admin can swap tokens for WETH and fund the Staking contract with additional WETH. -
Instead of sending WETH directly to the Staking contract, route it to another multiSig wallet and periodically add the WETH to the staking contract manually.
However, it is essential to note that these solutions may not entirely prevent exploitation, as malicious users could still monitor the mempool and wait for WETH to be sent to the Staking contract before calling the claim() function. Relying on the WETH balance for user rewards may not be the most robust approach in this context. Further considerations and strategies are required to enhance the system's security and fairness effectively.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.