StaderStakePoolsManager.depositETHOverTargetWeight helps stake all deposited ETH to the capacity available across any pool without disabling deposits. This feature is designed to be fair to all pools over time and enables Stader to stake all deposited ETH as long as the validator supply exists on any pool.
However, if StaderStakePoolsManager.depositETHOverTargetWeight is called when availableETHForNewDeposit > 0 && availableETHForNewDeposit < poolDepositSize, poolIdArrayIndexForExcessDeposit move forward but no ETH would be deposited.
A malicious user can use it to move poolIdArrayIndexForExcessDeposit and causes unfairness
We can find out that i moves forward when ethToDeposit is smaller than poolDepositSize. And poolIdArrayIndexForExcessDeposit is set to the new i. In conclusion, a malicious user can call StaderStakePoolsManager.depositETHOverTargetWeight to move poolIdArrayIndexForExcessDeposit when availableETHForNewDeposit > 0 && availableETHForNewDeposit < poolDepositSize. It could cause unfairness. It is said that depositETHOverTargetWeight is designed to be fair to all pools.
https://blog.staderlabs.com/ethx-deposits-bda0f62d8ed8
Tools Used
Manual Review
Recommended Mitigation Steps
It is hard to get the poolDepositSize in StaderStakePoolsManager.depositETHOverTargetWeight. Uses ETH_PER_NODE as the lower bound of availableETHForNewDeposit
function depositETHOverTargetWeight() external override nonReentrant {
if (block.number < lastExcessETHDepositBlock + excessETHDepositCoolDown) {
revert CooldownNotComplete();
}
…
+ uint256 ETH_PER_NODE = staderConfig.getStakedEthPerNode();
+ if (availableETHForNewDeposit < ETH_PER_NODE ) {
- if (availableETHForNewDeposit == 0) {
revert InsufficientBalance();
}
}
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L215 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PoolSelector.sol#L93 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PoolSelector.sol#L99-L104
Vulnerability details
Impact
StaderStakePoolsManager.depositETHOverTargetWeight
helps stake all deposited ETH to the capacity available across any pool without disabling deposits. This feature is designed to be fair to all pools over time and enables Stader to stake all deposited ETH as long as the validator supply exists on any pool.However, if
StaderStakePoolsManager.depositETHOverTargetWeight
is called whenavailableETHForNewDeposit > 0 && availableETHForNewDeposit < poolDepositSize
,poolIdArrayIndexForExcessDeposit
move forward but no ETH would be deposited.A malicious user can use it to move
poolIdArrayIndexForExcessDeposit
and causes unfairnessProof of Concept
StaderStakePoolsManager.depositETHOverTargetWeight
callsPoolSelector.poolAllocationForExcessETHDeposit(availableETHForNewDeposit)
to get the selected pool capacity. https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L215In
PoolSelector.poolAllocationForExcessETHDeposit
, it calculate theselectedPoolCapacity
and move poolIdArrayIndexForExcessDeposit. https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PoolSelector.sol#L93 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PoolSelector.sol#L99-L104Suppose
ethToDeposit
is smaller thanpoolDepositSize
. The following things happen.We can find out that
i
moves forward whenethToDeposit
is smaller thanpoolDepositSize
. AndpoolIdArrayIndexForExcessDeposit
is set to the newi
. In conclusion, a malicious user can callStaderStakePoolsManager.depositETHOverTargetWeight
to movepoolIdArrayIndexForExcessDeposit
whenavailableETHForNewDeposit > 0 && availableETHForNewDeposit < poolDepositSize
. It could cause unfairness. It is said thatdepositETHOverTargetWeight
is designed to be fair to all pools. https://blog.staderlabs.com/ethx-deposits-bda0f62d8ed8Tools Used
Manual Review
Recommended Mitigation Steps
It is hard to get the poolDepositSize in
StaderStakePoolsManager.depositETHOverTargetWeight
. Uses ETH_PER_NODE as the lower bound ofavailableETHForNewDeposit
Assessed type
Other