A user stakes ETH using the function Steaking::stake
as mentioned below.
This function maintains a mapping Steaking::usersToStakes
, which maps the address of users to the amount staked. When a user stakes ETH, the mapping is updated to the amount of ETH sent in the value . Because of this, the Steaking::usersToStakes
mapping discards the amount already staked previously by the user.
As a result, after the Steaking::depositIntoVault
becomes live, the user will be able to deposit only the latest staked amount by them into the vault. This limitation arises because Steaking::depositIntoVault
allows users to deposit only the amount recorded in the Steaking::usersToShares
mapping, which is incorrect and will lead to only partial amount of the total staked ETH to be deposited into the vault and hence causing the remaining staked ETH of the user to be stuck in the Steaking
contract forever.
This vulnerability has a critical impact on the protocol. Users will be unable to deposit their entire staked ETH once Steaking::depositIntoVault
is live, causing all previously staked ETH to remain trapped in the Steaking
contract permanently. Therefore, the severity of this vulnerability is assessed as high.
manual code review
We prove the incorrectness of the hashmap using the below test function.
Paste the following function in the Steaking.t.sol
In order to mitigate this vulnerability, change the following lines. This change will ensure that the amount sent is added to the user's previously staked amount:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.