Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Potential Vulnerability in LSTRewardsSplitter Contract Due to Outdated OpenZeppelin Library

0xbrett8571

Summary

The LSTRewardsSplitter contract's dependency on an outdated version of the OpenZeppelin library, as specified in the package.json file, may introduce a vulnerability related to the ERC20Permit extension. This vulnerability could allow attackers to reuse signature permits, potentially leading to unauthorized actions within the contract or its dependencies.

Vulnerability Details

The LSTRewardsSplitter contract relies on the OpenZeppelin library for various functionality, including the SafeERC20 utility and Ownable contract. However, the version of the OpenZeppelin library specified in the package.json file (^4.7.0) allows for versions that may contain a high severity vulnerability in the ERC20Permit extension.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L4-L5

The vulnerability, fixed in OpenZeppelin Contracts version 4.7.3 and 4.8.1, could allow reuse of signature permits in certain scenarios. If the LSTRewardsSplitter contract or any of its dependencies rely on the vulnerable versions of the ERC20Permit extension, it could potentially expose the contract to unauthorized actions.

https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories

There is one relevant security advisory for this version range:

High severity vulnerability fixed in version 4.7.3 and 4.8.1

https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9

The vulnerability affects the ERC20Permit extension and could allow reuse of signature permits. It was fixed in version 4.7.3 for the 4.7.x branch and 4.8.1 for the 4.8.x branch.

Since the package.json specifies "^4.7.0", it would allow versions up to (but not including) 4.8.0. If any 4.7.x version below 4.7.3 is used, the codebase could be affected by this vulnerability.

Impact

If the LSTRewardsSplitter contract or any of its dependencies utilize the vulnerable versions of the ERC20Permit extension, it could expose the contract to unauthorized actions. Attackers might be able to reuse signature permits to perform unintended operations, such as unauthorized token transfers or approvals.

Tools Used

Manual Review

Recommendations

Update the OpenZeppelin library to a patched version. Specifically, update the @openzeppelin/contracts package in the package.json file to version ^4.7.3 or ^4.8.1

"dependencies": {

...

"@openzeppelin/contracts": "^4.7.3",

...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.