Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

No Access Control on Critical Functions in Vault

xidik

Summary

The Vault contract allows the vaultController to perform critical operations such as withdraw and unbond without additional access control mechanisms. If the vaultController is compromised, it could unbond or withdraw tokens, leading to loss of funds.

Vulnerability Details

In the Vault contract:

modifier onlyVaultController() {

if (msg.sender != vaultController) revert OnlyVaultController();

}

function withdraw(uint256 _amount) external virtual onlyVaultController {

stakeController.unstake(_amount);

token.safeTransfer(vaultController, _amount);

}

function unbond() external onlyVaultController {

stakeController.unbond();

}

The vaultController is a single address set during initialization. If this address is compromised, there are no additional safeguards to prevent unauthorized access to critical functions.

Impact

Loss of Funds: Unauthorized withdrawals could result in loss of user funds.

Disruption of Operations: Unintended unbonding could affect staking rewards and contract functionality.

Security Risk: Reliance on a single address increases the risk if that address is compromised.

Tools Used

Manual code review.

Recommendations

Implement Multi-Signature Control:
- Consider requiring multiple signatures or confirmations for critical operations.
- Use a multi-signature wallet as the vaultController to distribute control.
Enhance Access Control:
- Implement additional checks, such as time delays or consensus mechanisms for critical functions.
Emergency Stop Mechanism:
- Introduce a circuit breaker that allows pausing of critical functions in case of an emergency.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.