0xSorryNotSorry
commented
1 year ago Spam
Closed code423n4 closed 1 year ago
0xSorryNotSorry
commented
1 year ago Spam
c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as low quality report
c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/pods/DelayedWithdrawalRouter.sol#L79
Vulnerability details
Impact
By exploiting legitimate users' access to claim delayed withdrawals, an attacker could potentially drain a sizable portion of the contract's funds before detection. Manipulative access to critical system functions poses a substantial financial risk.
Proof of Concept
Here is a proof of concept for manipulating delayed withdrawal claims by compromising users:
The attacker gains control/influence over some number of users with access to claimDelayedWithdrawals. This could be done through social engineering, bribery, phishing attacks or other malicious means targeting users with holdings that will yield delayed withdrawals. Once the attacker has control over a group of users, they instruct those users to repeatedly call claimDelayedWithdrawals when the attacker specifies, in order to drain funds from the contract at the attacker's direction. The attacker monitors the contract's holdings, mapping of users to delayed withdrawals due, and withdrawal delay settings. They calculate the optimal timing to instruct their compromised users to start claiming withdrawals to maximally drain funds before any are noticed missing. When ready to execute the attack, the attacker issues instructions to their controlled users to begin furiously claiming as many delayed withdrawals as possible by continuously calling claimDelayedWithdrawals. If done properly, the attacker could potentially drain a sizable portion of the contract's holdings before the manipulations are detected, at which point the damage would already be done. The stolen funds would be sent to addresses controlled by the attacker. This PoC outlines how an attacker gaining control over users with access to claim Delayed Withdrawals could manipulate the system by exploiting that access to repeatedly call the function and drain funds until the attack is noticed. With enough compromised users and the right tactics, a significant attack is possible according to this threat scenario, highlighting the need for appropriate access controls and limits.
Tools Used
The only tools involved are malicious social engineering, bribery, phishing attacks or similar tactics used to compromise legitimate users and gain control/influence over their access. No sophisticated technical skills or tools would be required beyond the capabilities of a moderately capable attacker.
Recommended Mitigation Steps
Here are some recommendations to help mitigate the risk of manipulation through compromised user access:
• Enforce account limits - Apply limits to the maximum number of delayed withdrawal claims that can be made by a single user/account in a time period. This makes large-scale manipulation much more difficult.
• Require multi-signature - Require approval for claims from multiple parties (e.g. user and pod manager) instead of only the user. This introduces more points of failure for an attack and is harder to compromise.
• Educate users - Provide clear guidance for users on how to detect and avoid malicious attempts to manipulate their access (e.g. never share private info or sign TXs blindly). An informed user base is more resilient.
• Monitor activity - Apply limits to the rate of claims for any single user and monitor unusual spikes in activity which could indicate compromised access or manipulation attempts. Cap limits conservatively.
• Limit access - Grant only the access absolutely necessary for legitimate use cases. Limiting the scope of access reduces the impact even if that access is somehow compromised.
• Owner undergoes multi-signature - Apply the same multi-signature requirement to the owner that can adjust critical configuration (e.g. withdrawal delays) to reduce risk of malicious configuration changes if that access is compromised.
Assessed type
Invalid Validation