donateTokens()
is designed to allow token donations to the protocol. However, it has a critical flaw: it modifies totalStaked
without increasing the number of shares. This vulnerability can be exploited by an attacker, resulting in users receiving 0 shares.
deposit()
is invoked from the PriorityPool to deposit user tokens into the strategies and mint the corresponding shares accordingly.
_mint()
is responsible for calculating the number of shares that users will receive. It does this by calling the getSharesByStake()
to perform the necessary calculations.
As you can see, it uses the standard formula to calculate the shares. However, the issue arises from the donateTokens()
.
As you can see, the donateTokens()
is external and can be called by anyone. The problem is that it adds the donated amount to totalStaked
without increasing the number of shares. A malicious user could exploit this vulnerability to reduce the number of shares users receive to 0.
This will occur when totalStaked > _amount * totalShares
.
To illustrate the problem copy the following POC into staking-pool.test.ts file
:
An attacker can manipulate the system in such a way that users end up receiving 0 shares.
Manual review.
There are several approaches to address this problem, but the simplest and most effective solution is to remove the donateTokens()
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.