Closed code423n4 closed 1 year ago
dmvt marked the issue as primary issue
vince0656 marked the issue as sponsor disputed
Not sure what someone gains by doing this. In order for their front run transaction to go through, they have to use 4 of their own ETH and they will not have the correct signing key to proceed which is a differnet issue beacuse then people would waste time staking for a BLS key that can never be staked. It is possible to filter BLS keys that have invalid node runner registrations.
Yeah I didn't fully appreciate that on the first pass. Given how expensive this griefing attack would be to execute, and the relatively low impact, I don't think this is a real issue.
dmvt marked the issue as nullified
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/LiquidStakingManager.sol#L426
Vulnerability details
Impact
The registerBLSPublicKeys and deposit function in StakingFundsVault.sol and in SavETHVault.sol is vulnerable to frontrunning.
Proof of Concept
When user register a ETH 2.0 public key as the node operator, he needs to call the function register in LiquidStakingManager.sol
the blsSignature is used for ETH 2.0 staking related validation:
https://kb.beaconcha.in/ethereum-2-keys#ethereum-2-keys
However, this function is vulnerable to front-running.
Consider this case:
Tools Used
Code inspection.
Recommended Mitigation Steps
Let the msg.sender of the registerBLSPublicKeys can submit a signature (generated using msg.sender address and the public key and eoaRepresentative across) along with the transaction to prove that the eoaRepresentative and the public key is used correctly.