code-423n4 2023-06-stader-findings issues

code-423n4 / 2023-06-stader-findings

1 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Upgraded Q -> 2 from #130 [1686726021314]

#427 c4-judge closed 1 year ago
2
Upgraded Q -> 2 from #327 [1686724891862]

#426 c4-judge closed 1 year ago
2
QA Report

#425 code423n4 closed 1 year ago
1
Inflation attack in StaderStakePoolsManager

#424 code423n4 closed 1 year ago
4
No way out of the loop if operator not active

#423 code423n4 closed 1 year ago
2
Gas Optimizations

#422 code423n4 opened 1 year ago
1
Gas Optimizations

#421 code423n4 closed 1 year ago
1
A trusted node has the ability to submit the `ExchangeRate` multiple times for a single `reportingBlockNumber`.

#420 code423n4 closed 1 year ago
3
VaultProxy's default owner can be changed in StaderConfig

#419 code423n4 closed 1 year ago
2
`VaultProxy` implementation can be initialized by anyone and self-destructed

#418 code423n4 opened 1 year ago
6
Inconsistency in the bidIncrement

#417 code423n4 closed 1 year ago
1
Chainlink's latestRoundData might return stale or incorrect results

#416 code423n4 closed 1 year ago
2
Gas Optimizations

#415 code423n4 opened 1 year ago
1
FRONT-RUNNING SUSCEPTIBILITY IN ADDBID()

#414 code423n4 closed 1 year ago
5
Gas Optimizations

#413 code423n4 opened 1 year ago
2
Lack of max value for `_excessETHDepositCoolDown` in `StaderStakePoolsManager` cn be used to pause the contract indefinitely

#412 code423n4 closed 1 year ago
1
Complete Loss of Tokens and Value after the auction ends

#411 code423n4 closed 1 year ago
1
Bidders are able to outbid the highest bidder by matching their highest bid if `Auction.bidIncrement` is set to zero

#410 code423n4 opened 1 year ago
3
Math rounding in StaderStakePoolsManager.sol is not ERC4626-compliant: previewWithdraw should round up.

#409 code423n4 closed 1 year ago
3
Exploitation by Malicious Users: Manipulating Gas Fees in Withdrawal Finalization

#408 code423n4 closed 1 year ago
5
There is still a transfer of eth even when contract is paused, due to missing whenNotPaused modifier

#407 code423n4 closed 1 year ago
2
QA Report

#406 code423n4 closed 1 year ago
1
QA Report

#405 code423n4 opened 1 year ago
1
The incorrect check implemented in the UserWithdrawalManager undermines the effectiveness of the timelock for claiming ETH

#404 code423n4 closed 1 year ago
3
Insufficient Slippage Control in UserWithdrawalManager's ETH Withdrawal

#403 code423n4 closed 1 year ago
4
NodeELRewardVault won't emit events upon rewards receival

#402 code423n4 closed 1 year ago
1
QA Report

#401 code423n4 closed 1 year ago
1
A malicious early attacker can manipulate the xETH's pricePerShare to take an unfair share of future users' deposits

#400 code423n4 closed 1 year ago
11
Gas Optimizations

#399 code423n4 closed 1 year ago
1
Rounding Issues In previewWithdraw() In StaderStakePoolsManager

#398 code423n4 closed 1 year ago
5
UNRESTRICTED USAGE OF CREATELOT() RISKS UNINTENTIONAL SD TOKEN DONATIONS

#397 code423n4 closed 1 year ago
5
The implementation of the withdrawal logic inside SDCollateral is missing the timelock mechanism

#396 code423n4 closed 1 year ago
2
The utilization of a hardcoded time value is incorrect when deployed to blockchains other than Ethereum

#395 code423n4 closed 1 year ago
4
Gas Optimizations

#394 code423n4 opened 1 year ago
3
SD Collateral Auction can be gamed because lack of connection between bidIncrement and the SD auction amount

#393 code423n4 closed 1 year ago
3
The increaseTotalValidatorActiveCount in PermissionedPool incorrectly adds requiredValidators instead of validatorToDeposit

#392 code423n4 closed 1 year ago
4
`VaultFactory.computeWithdrawVaultAddress()` and `VaultFactory.computeNodeELRewardVaultAddress()` return wrong addresses if `VaultFactory.vaultProxyImplementation` has been updated

#391 code423n4 closed 1 year ago
12
Risk of losing admin access if updateAdmin set with same current admin address

#390 code423n4 opened 1 year ago
13
QA Report

#389 code423n4 opened 1 year ago
1
Gas Optimizations

#388 code423n4 opened 1 year ago
3
Gas Optimizations

#387 code423n4 opened 1 year ago
1
The admin address used in initialize function, can behave maliciously

#386 code423n4 closed 1 year ago
4
There is no check to see if eth was successfully sent from ValidatorWithdrawalVault to StaderStakePoolsManager.

#385 code423n4 closed 1 year ago
1
QA Report

#384 code423n4 opened 1 year ago
2
`pause/unpause` functionnalities not implemented in many pausable contracts

#383 code423n4 opened 1 year ago
6
Gas Optimizations

#382 code423n4 opened 1 year ago
2
QA Report

#381 code423n4 closed 1 year ago
5
Tokens can be lost when trying to deposit in SDCaollateral.depositSDAsCollateral() or trying to withdraw SDCaollateral.withdraw()

#380 code423n4 closed 1 year ago
8
QA Report

#379 code423n4 opened 1 year ago
1
Gas Optimizations

#378 code423n4 opened 1 year ago
2