The points rewarded to user in backend server upon the staking operation are not deducted accordingly when user performs unstake operation resulting potential exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all
According to the protocol staking campaign, 1 ETH staked gives the user 1000 points on the backend server. However, when user decides to unstake, the points rewarded at the backend server are not deducted accordingly. This could lead to the exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all as the protocol allows user to withdraw completely during the campaign period.
Proof of Concept:
User performs stake operation with 1000 ETH
cast send <contract-address> "stake(address)" <user-address> --private-key <private-key> --value "10ether"
backend server recorded 1000 * 1000 = 1_000_000 points for user
User performs unstake operation withdrawing all 1000 ETH within the campaign period
cast send <contract-address> "unstake(uint256,address)" 1000000000000000000000 <user-other-address> --private-key <private-key>
connect to mongosh
backend server is found still retaining the records of 1_000_000 points for the user
The vulnerability is due to the protocol server steaking-server/src/main.js
only listens to Staked
event and doesn't factor in the Unstaked
event emitted through steaking-contracts/src/Steaking.vy
contract.
Exploitation of protocol campaign to earn high amount of $STEAK token in future airdrop without staking any ETH at all
Manual review
Below are 2 different implementation suggestions to refine the point reward flow:
To factor in the Unstaked
event from steaking-contracts/src/Steaking.vy
contract in steaking-server/src/main.js
and deduct the points corresponding to the unstaked amount from the database accordingly
Instead of listening to Staked
and Unstaked
event, the project team can consider to reward points based on the final staked amount when campaign ends and listening to the DepositedIntoVault
event instead to simplify the point reward process to those who stake till the campaign ends.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.