Beginner FriendlyFoundryDeFi
100 EXP
View results
Submission Details
Severity: high
Valid

Points are not deducted accordingly in backend server when user performs unstake operation resulting potential exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all

Summary

The points rewarded to user in backend server upon the staking operation are not deducted accordingly when user performs unstake operation resulting potential exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all

Vulnerability Details

According to the protocol staking campaign, 1 ETH staked gives the user 1000 points on the backend server. However, when user decides to unstake, the points rewarded at the backend server are not deducted accordingly. This could lead to the exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all as the protocol allows user to withdraw completely during the campaign period.

Proof of Concept:

  1. User performs stake operation with 1000 ETH

    • cast send <contract-address> "stake(address)" <user-address> --private-key <private-key> --value "10ether"

    • backend server recorded 1000 * 1000 = 1_000_000 points for user

  2. User performs unstake operation withdrawing all 1000 ETH within the campaign period

    • cast send <contract-address> "unstake(uint256,address)" 1000000000000000000000 <user-other-address> --private-key <private-key>

    • connect to mongosh

      use test
      db.steakpoints.find({ walletAddress: <user-address> }).pretty()
    • backend server is found still retaining the records of 1_000_000 points for the user

The vulnerability is due to the protocol server steaking-server/src/main.js only listens to Staked event and doesn't factor in the Unstaked event emitted through steaking-contracts/src/Steaking.vy contract.

Impact

Exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all

Tools Used

Manual review

Recommendations

Below are 2 different implementation suggestions to refine the point reward flow:

  1. To factor in the Unstaked event from steaking-contracts/src/Steaking.vy contract in steaking-server/src/main.js and deduct the points corresponding to the unstaked amount from the database accordingly

  2. Instead of listening to Staked and Unstaked event, the project team can consider to reward points based on the final staked amount when campaign ends and listening to the DepositedIntoVault event instead to simplify the point reward process to those who stake till the campaign ends.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Steaking server is not taking unstakes into account

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.