Malicious user can create a fake LPToken contract and trick users to burn their giant LP tokens

[code423n4]

Lines of code

https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantPoolBase.sol#L69-L90

Vulnerability details

Impact

A user can be tricked to call withdrawLPTokens() with a malicious token address that is not part of the LPToken issued by the lptokenFactory which can potentially cause them to lose all their giant LP token.

Proof of Concept

withdrawLPTokens() does not check that _lpTokens is a token that is issued by lptokenFactory. This token can be one that is not registered as part of any BLS public key. A malicious user can use this fact and create a "fake" LPToken, send it into the contract and trick a user to call this function with this fake token as input. End result is that users will be transferred this fake token which has no value in the stakehouse ecosystem, but burn their valuable giant LP token.

Tools Used

Manual Review

Recommended Mitigation Steps

A check should be added in withdrawLPTokens() to ensure that tokens being used are created by the lptokenFactory.

[c4-judge]

dmvt marked the issue as duplicate of #98

[c4-judge]

dmvt marked the issue as satisfactory