First Flight #22: Steaking

First Flight #22

Beginner FriendlyFoundryDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Points are not deducted accordingly in backend server when user performs unstake operation resulting potential exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all

soupy

Summary

The points rewarded to user in backend server upon the staking operation are not deducted accordingly when user performs unstake operation resulting potential exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all

Vulnerability Details

According to the protocol staking campaign, 1 ETH staked gives the user 1000 points on the backend server. However, when user decides to unstake, the points rewarded at the backend server are not deducted accordingly. This could lead to the exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all as the protocol allows user to withdraw completely during the campaign period.

Proof of Concept:

User performs stake operation with 1000 ETH
- cast send <contract-address> "stake(address)" <user-address> --private-key <private-key> --value "10ether"
- backend server recorded 1000 * 1000 = 1_000_000 points for user
User performs unstake operation withdrawing all 1000 ETH within the campaign period
- cast send <contract-address> "unstake(uint256,address)" 1000000000000000000000 <user-other-address> --private-key <private-key>
- connect to mongosh
  use test
  db.steakpoints.find({ walletAddress: <user-address> }).pretty()
- backend server is found still retaining the records of 1_000_000 points for the user

The vulnerability is due to the protocol server steaking-server/src/main.js only listens to Staked event and doesn't factor in the Unstaked event emitted through steaking-contracts/src/Steaking.vy contract.

Impact

Exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all

Tools Used

Manual review

Recommendations

Below are 2 different implementation suggestions to refine the point reward flow:

To factor in the Unstaked event from steaking-contracts/src/Steaking.vy contract in steaking-server/src/main.js and deduct the points corresponding to the unstaked amount from the database accordingly
Instead of listening to Staked and Unstaked event, the project team can consider to reward points based on the final staked amount when campaign ends and listening to the DepositedIntoVault event instead to simplify the point reward process to those who stake till the campaign ends.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Steaking server is not taking unstakes into account

Rewards breakdown

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.