Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Every Strategy Can Update Other Strategies

ChainDefenders

Summary

In StakingPool there is a function named updateStrategyRewards:

function updateStrategyRewards(uint256[] memory _strategyIdxs, bytes memory _data) external {
if (msg.sender != rebaseController && !_strategyExists(msg.sender))
revert SenderNotAuthorized();
_updateStrategyRewards(_strategyIdxs, _data);
}

It is used to distribute rewards/fees based on balance changes in strategies since the last update. However, as we can see every strategy can call for other strategies which can cause problems.

Vulnerability Details

Let's have the following scenario:

  1. There are Strategy A and Strategy B.

  2. Strategy A calls updateStrategyRewards with Strategy B's Id.

  3. The call is successful and Strategy A is able to update rewards for Strategy B which should not be happening.

Impact

The impact of such a vulnerability can be big especially in the case in which one of the strategies turns out to be malicious (for example the ownership of the strategy is stolen) and the StakingPool's owner is slow to react to this. It can lead to malicious or unintentional updates of rewards.

Tools Used

Manual Review

Recommendations

Implement a better access control over the updateStrategyRewards function which compares strategy Id to the msg.sender.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.