A user can become eligible for $STEAK airdrop, if they have minted atleast 0.5 eth, in which case they are given 500 points on the off-chain server. According to the protocol, users with more points (i.e., those who staked more ETH) will have a greater opportunity to receive a larger share of the $STEAK token airdrop.
In the main.js
file , the server only listens for the event when someone stakes ETH and gives them points accordingly in the database.
However, there is no function that listens for the event when someone unstakes ETH from the protocol, and then deduct the points accordingly.This leaves room for a malicious user to repeatedly stake the minimum stake amount, unstake it, and still gain points each time.
The vulnerability arises because the current implementation of the main.js
file only listens for the STAKED
event to award points to users based on the amount of ETH they stake. However, there is no corresponding event listener for when users unstake their ETH, meaning the points are not deducted from their accounts when they withdraw their staked ETH.
Attacker stakes 0.5 ether .
Attacker unstakes 0.5 ether.
We observe that they still have 500 points awarded in the server
Now we observe that the server still has 500 points awarded to the <ATTACKER_PUBLIC_ADDRESS>. Which directly means that upon unstaking, the points are not being deducted from the server.
A malicious user can gain unfair advantages by minting a very large amount of points and get major share from the $STEAK airdrop, when it is released. All of this without even having staked any ETH, which will be unfair to all the legitimate users of the protocol.
This loophole could also affect the purpose of bootstrapping liquidity for the WETH vault. This is because if the points are avaliable even after unstaking, majority user may unstake their ETH after obtaining the points on the off-chain server.
Hence the severity of this vulnerability is decided to be a high.
manual code review
in the main.js
file, under the main function, add a function which listens for the unstaked
event and deducts the points correposing to the amount of eth unstaked from the database.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.