Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Deposit function is not locked after deposit

aliqbdoli

Summary

If the deposit function is not locked, several potential attacks could be launched against this contract

Vulnerability Details

1. Double-Spend Attacks

Without locking mechanisms, users could potentially make multiple deposits with the same funds:

// Example attack scenario:

function doubleSpendAttack(address attacker, uint256 amount) external payable {

DepositContract(depositAddress).deposit(

attackerPubkey,

withdrawalCredentials,

signature,

depositDataRoot

);

// Before the first deposit is confirmed, another deposit is made

DepositContract(depositAddress).deposit(

attackerPubkey,

withdrawalCredentials,

signature,

depositDataRoot

);

}

2. Front-Running Attacks

sers could quickly submit multiple deposits targeting the same address before legitimate users can act:

function frontRunAttack(address target, uint256 amount) external payable {

for (uint i = 0; i < 10; i++) {

DepositContract(depositAddress).deposit(

targetPubkey,

targetWithdrawalCredentials,

targetSignature,

targetDepositDataRoot

);

}

4. Denial of Service (DoS) Attacks

An attacker could flood the contract with numerous small deposits:

function dosAttack(uint256 numDeposits) external payable {

for (uint i = 0; i < numDeposits; i++) {

DepositContract(depositAddress).deposit(

randomPubkey,

randomWithdrawalCredentials,

randomSignature,

randomDepositDataRoot

);

}

Impact

Without locking mechanisms, early depositors might gain unfair advantages:

function earlyBirdAttack(address earlyBird, address target) external payable {

// First deposit

DepositContract(depositAddress).deposit(

earlyBirdPubkey,

earlyBirdWithdrawalCredentials,

earlyBirdSignature,

earlyBirdDepositDataRoot

);

// Second deposit targeting the same address

DepositContract(depositAddress).deposit(

targetPubkey,

targetWithdrawalCredentials,

targetSignature,

targetDepositDataRoot

);

}

Tools Used

Recommendations

To mitigate these risks, consider implementing time locks on deposits, per-address deposit limits, multi-sig approval for large deposits, and comprehensive event logging for all deposits. Additionally, ensure that the contract interacts securely with other components of the larger system to prevent potential exploits.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.