Insecure Backend Server Points allocation.
Description:
The Steak protocol uses a backend server to allocate points to users based on the amount of ETH staked in the steaking contract. This centralized approach to points allocation introduces potential risks, as the backend server becomes a critical point of failure. If compromised or manipulated, it could result in incorrect point allocations, leading to unfair advantages for some users and undermining the integrity of the points-based reward system.
Impact:
If the backend server is compromised, attackers could artificially inflate their point balances, making them eligible for a disproportionately large share of the future $STEAK token airdrop. This could lead to significant financial losses for honest participants and damage the protocol's reputation.
Proof of Concept:
A malicious
attackergains access to the backend server responsible for the points allocation.The
attackermodifies the points allocation logic to favor their own or associated addresses.As a result, the
attackeraccrues an unfairly large number of points, increasing their share of the$STEAKtoken airdrop.
Recommended Mitigation:
Implement a decentralized oracle service to manage the points allocation process. The oracle can fetch and verify relevant staking data on-chain, ensuring that the allocation of points is transparent and tamper-proof. This approach would minimize reliance on a centralized server, thereby reducing the risk of manipulation or unfair distribution of rewards.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.