[H-4] `Vault.sol` can be drained with a flash loan attack on the `Staking.sol` staking pool.
Description: A malicious user could leverage a flash loan in order to drain all the funds from the vault by exploiting the logic in the staking pool. The Staking.sol::claimRewards function checks the amount that a user is eligible to withdraw based on the amount deposited multiplied by the number of weeks the user has staked.
Impact: All the funds from the vault could be drained.
Proof of concept:
Imagine a pool that has 1999 tokens.
Attacker deposits 1 token.
Two weeks pass.
Attacker takes a flash loan and buys 2000 tokens.
Attacker deposits the funds.
Now the pool holds 4000 tokens, and the attacker is eligible to claim 2001 (total tokens deposited) times 2 weeks, because he staked his first token 2 weeks ago, which means 4002 tokens.
Attacker calls
claimRewardsfunction, and drains the vault before returning the flash loan.Pool has 0 tokens now, and the attacker has 2000 tokens after returning the flash loan.
Recommended mitigation: A potential mitigation strategy involves tracking the amount staked and the time it was staked for, ensuring rewards are calculated based on "staked time" rather than only looking at the current deposited amount. This involves rethinking the logic of the function
Lead Judging Commences
finding-claimRewards-multi-deposits-time
High severity, this allows users to claim additional rewards without committing to intended weekly staking period via multi-deposit/deposit right before claiming rewards.
finding-claimRewards-multi-deposits-time
High severity, this allows users to claim additional rewards without committing to intended weekly staking period via multi-deposit/deposit right before claiming rewards.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.