First Flight #22: Steaking

First Flight #22

Beginner FriendlyFoundryDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Malicious user can steal funds via depositIntoVault() funciton

0xiceman

Summary

When calling depositIntoVault function, proportional amount of shares is minted to a msg.sender. However, internal contract state is not updated. More precisely, usersToStakes[msg.sender] and totalAmountStaked are not appropriately updated.

Vulnerability Details

After depositing the ETH into the vault and converting it to WETH, the function does not update the usersToStakes or totalAmountStaked. This results in incorrect internal state accounting, since mentioned values are not reduced.

Place the following test into steaking-contracts/test/Steaking.t.sol

function testDepositIntoVault() public {

uint256 dealAmount = steaking.getMinimumStakingAmount();

_startVaultDepositPhase(user1, dealAmount, user1);

vm.startPrank(user1);

steaking.depositIntoVault();

vm.stopPrank();

uint256 steakingBalance = address(steaking).balance;

uint256 expectedSteakingBalance = 0;

uint256 wethSteakVaultShares = wethSteakVault.balanceOf(user1);

assertEq(steakingBalance, expectedSteakingBalance);

assertEq(wethSteakVaultShares, dealAmount);

//the next line passes which will allow user to deposit multiple times, which he shouldn't

assertEq(steaking.usersToStakes(user1), dealAmount);

}

Impact

Lack of state updates allows malicious user to drain staked funds after depositing minimum stake amount. Scenario:
1. Bob, along with other users deposits, deposits min stake amount.

2. After 4 weeks, Bob repeatedly calls depositIntoVault() and recieve all the shares on behalf of other users deposits.

Tools Used

Manual Review

Recommendations

Ensure that usersToStakes and totalAmountStaked are updated to reflect the correct staked amounts after a successful deposit, maintaining accurate records and preventing potential issues with share issuance.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`Steaking:depositIntoVault` fails to update the users balance allowing contract draining to repeat call

Rewards breakdown

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.