Point inflation vulnerability due to lack of unstake event handling in steaking contract backend
Summary
The Steaking contract and its accompanying backend logic allow users to accumulate points based on the amount of ETH they stake. However, the system lacks logic to decrease points when users unstake their ETH.
Vulnerability Details
The backend system listens for the STAKED event and adds points to a user’s account each time they stake ETH, but it does not decrease the points when a user unstakes. Specifically, the main.js file lacks an event listener for the Unstaked event that would reduce the user’s points accordingly.
Impact
Since there are no penalties or cooldown periods for unstaking, this behavior can be repeated indefinitely, allowing users to gain unfair advantages for future rewards ($STEAK token airdrops).
Tools Used
Manual Review
Recommendations
Add an event listener for the Unstaked event in the backend. When a user unstakes ETH, reduce their points proportionally to the amount they have unstaked. This ensures that users only retain points for ETH that remains staked.
Lead Judging Commences
Steaking server is not taking unstakes into account
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.