An attacker could exploit the out-of-order execution of balance update and checkpoint recording, possibly leading to inaccurate state management within the contract, which could further be manipulated to disrupt the contract’s intended functionality.
Suggested description of the vulnerability for use in the CVE
The _withdraw function in the smart contract managing staking operations exhibits a vulnerability where the checkpoint for user balance (_checkpointUserBalance) is recorded after updating the user's balance (balanceOf[msg.sender][gauge]). This incorrect sequence can lead to discrepancies between the actual user balance and the recorded checkpoint. This flaw can potentially be exploited to cause disruptions in balance tracking and operations within the contract, leading to denial of service and other unintended behaviors.
Discoverer(s)/Credits
xFuzz
Proposed Solution
To mitigate this vulnerability, the checkpoint recording operation should be reordered to occur before updating the user’s balance. The corrected sequence should be:
Record the checkpoint using _checkpointUserBalance.
Impact
Affected component(s)
function
_withdrawin YearnStakingDelegate.solAttack vector(s)
An attacker could exploit the out-of-order execution of balance update and checkpoint recording, possibly leading to inaccurate state management within the contract, which could further be manipulated to disrupt the contract’s intended functionality.
Suggested description of the vulnerability for use in the CVE
The
_withdrawfunction in the smart contract managing staking operations exhibits a vulnerability where the checkpoint for user balance (_checkpointUserBalance) is recorded after updating the user's balance (balanceOf[msg.sender][gauge]). This incorrect sequence can lead to discrepancies between the actual user balance and the recorded checkpoint. This flaw can potentially be exploited to cause disruptions in balance tracking and operations within the contract, leading to denial of service and other unintended behaviors.Discoverer(s)/Credits
xFuzz
Proposed Solution
To mitigate this vulnerability, the checkpoint recording operation should be reordered to occur before updating the user’s balance. The corrected sequence should be:
_checkpointUserBalance.balanceOf[msg.sender][gauge].totalDeposited[gauge].Reference(s)