One user can convert all most staking amount to their own share when the staking ended, and the owner set the wethSteakVault address.
Assume two users, user1 and user2 all stake 0.5 raw ether in the staking contract.
After staking period ended, and the new vault address is set, user1 call depositIntoVault, which transfer his staking raw eth into the weth vault. User 1 record 0.5 ether shares.
For the user1 can continue call depositIntoVault based on her staking amount, transfering his corresponding's amount to the weth vault until the balance of the steaking less than the user1's staking amount. Now User 1 record 1 ether shares though he only stake 0.5 ether in the steaking contract.
Obove steps can also by executed through reentrance attack.
POC_ Test
One user can convert almost staking eth in the steaking contract into his own shares when staking period end and the owner set the wethSteakVault address.
If the malicious user execute the above step firstly, all other users will lost almost their eth. No ways withdraw their eth,and no sharing records in the wethSteakVault.
The malicous user can set their staking amount, to convert all raw eth into his own share. (Such as total staking eth equal 100 ether, malicious stake 10 ether, can convert 10 times to convert all raw eths to his own shares )
Manual
Each time when user call depositIntoVault, should update usersToStakes, totalAmountStaked to prevent the same user use the usersToStakes so many times converting the existed eth in steaking contract to his own shares based on the wethSteakVault.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.