Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy in `raiseAlert` Function

chainsentryaudits

Summary

A critical reentrancy vulnerability has been identified in the raiseAlert function of the OperatorVault.sol contract. This vulnerability allows an attacker to exploit external calls made within the function to perform unauthorized actions, potentially leading to significant financial losses and disruption of the platform's reward distribution mechanism.

Vulnerability Details

Issue Description

The raiseAlert function in OperatorVault.sol performs an external call to the pfAlertsController.raiseAlert(_feed) before updating the contract's internal state or transferring tokens. This sequence of operations exposes the contract to a reentrancy attack, where a malicious or compromised pfAlertsController can re-enter the raiseAlert function or other sensitive functions within the OperatorVault contract during its execution.

Relevant Code Snippet

function raiseAlert(address _feed) external onlyOperator {
uint256 prevBalance = token.balanceOf(address(this));
pfAlertsController.raiseAlert(_feed);
uint256 rewards = token.balanceOf(address(this)) - prevBalance;
uint256 opRewards = (rewards * IOperatorVCS(vaultController).operatorRewardPercentage()) / 10000;
token.safeTransfer(vaultController, rewards - opRewards);
emit AlertRaised();
}
```

Analysis

  1. External Call Before State Update:

    • The function initiates an external call to pfAlertsController.raiseAlert(_feed) prior to performing any state changes or token transfers. This external interaction is risky because it allows the called contract to execute arbitrary code, including potentially malicious operations.

  2. Reentrancy Potential:

    • If pfAlertsController is malicious or becomes compromised, it can exploit this external call to re-enter the raiseAlert function or other functions within the OperatorVault contract. This can lead to multiple executions of sensitive operations before the contract's state is properly updated, enabling unauthorized manipulation of token balances and rewards.

  3. State Dependency on Token Balance:

    • The calculation of rewards relies on the token balance before and after the external call. If reentrancy occurs, the token balance can be manipulated, leading to incorrect calculations and unauthorized transfers.

  4. Lack of Reentrancy Guards:

    • The contract does not implement any reentrancy protection mechanisms (e.g., OpenZeppelin's ReentrancyGuard). This absence makes it easier for attackers to exploit the vulnerability without facing immediate restrictions.

Impact

  • Financial Loss: Attackers can manipulate the token balance to withdraw more tokens than they are entitled to, leading to potential loss of funds.

  • Disruption of Reward Mechanism: Incorrect reward calculations can disrupt the distribution process, affecting both operators and the overall integrity of the platform.

  • Erosion of Trust: Exploitation of this vulnerability can undermine user confidence in the platform's security, potentially deterring future participation and investment.

Tools Used

Manual review

Recommendations

Mitigation Steps and Recommendations

  1. Implement Reentrancy Guards:

    • Utilize OpenZeppelin's ReentrancyGuard to prevent reentrant calls to vulnerable functions. By applying the nonReentrant modifier to the raiseAlert function, the contract ensures that it cannot be re-entered during its execution.

    import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
    contract OperatorVault is Vault, ReentrancyGuard {
    // ...
    function raiseAlert(address _feed) external onlyOperator nonReentrant {
    uint256 prevBalance = token.balanceOf(address(this));
    pfAlertsController.raiseAlert(_feed);
    uint256 rewards = token.balanceOf(address(this)) - prevBalance;
    uint256 opRewards = (rewards * IOperatorVCS(vaultController).operatorRewardPercentage()) / 10000;
    token.safeTransfer(vaultController, rewards - opRewards);
    emit AlertRaised();
    }
    // ...
    }
    ```

  2. Validate External Contracts:

    • Ensure that the pfAlertsController is a trusted contract. Implement strict access controls to prevent unauthorized entities from setting or modifying the pfAlertsController address. Consider using multi-signature wallets or decentralized governance mechanisms to manage sensitive contract addresses.

  3. Follow Checks-Effects-Interactions Pattern:

    • Reorder operations within the raiseAlert function to update internal state variables before making external calls. This minimizes the risk of reentrancy by ensuring that the contract's state reflects the changes before any external interactions occur.

    function raiseAlert(address _feed) external onlyOperator nonReentrant {
    // Effects
    uint256 prevBalance = token.balanceOf(address(this));
    // Interactions
    pfAlertsController.raiseAlert(_feed);
    uint256 rewards = token.balanceOf(address(this)) - prevBalance;
    uint256 opRewards = (rewards * IOperatorVCS(vaultController).operatorRewardPercentage()) / 10000;
    token.safeTransfer(vaultController, rewards - opRewards);
    emit AlertRaised();
    }
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.