Open code423n4 opened 1 year ago
Picodes marked the issue as duplicate of #242
Picodes changed the severity to QA (Quality Assurance)
This issue is identified as a dup of https://github.com/code-423n4/2022-06-stader-findings/issues/242, which is currently classified as a quality assurance (QA) issue
The decision to downgrade is based on the comment provided by the sponsor in https://github.com/code-423n4/2022-06-stader-findings/issues/242
Only Staked funds related flows are required to be pausable by protocol design.
However, this issue is indeed related to staked funds. StaderStakePoolsManager.depositETHOverTargetWeight
calls IStaderPoolBase(poolAddress).stakeUserETHToBeaconChain{value: validatorToDeposit * poolDepositSize}()
to stake funds into the pool. Therefore, it should have the whenNotPaused
modifier.
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L243
In conclusion, this issue should not be considered a dup of https://github.com/code-423n4/2022-06-stader-findings/issues/242. And the severity should be reconsidered
@sanjay-staderlabs tagging you for visibility
Hi @Picodes @sces60107 there is no need of pause in depositETHOverTargetWeight
as this function is already safeguarded with a cooldown period of excessETHDepositCoolDown
. Protocol can increase the cooldown to pause this function.
Hi @sanjay-staderlabs
Technically, I agree that the protocol can definitely increase the cooldown period to pause depositETHOverTargetWeight
. However, I don't think increasing cooldown period is a proper way to pause this function. Using two pause mechanisms simultaneously doesn't seem reasonable to me. The pause and unpause actions are split into two steps, which makes things complicated.
But if there is any good reason that the protocol want to pause only one specific function, I fully agree with your decision. And I fully respect @Picodes's final decision and will have no further dispute.
As shown by the sponsor it is possible to increase the cooldown to effectively pause this function. As a consequence, there is no broken functionality or risk of loss of funds here, so QA severity is more appropriate
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L215 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L183
Vulnerability details
Impact
When
StaderStakePoolsManager
is paused, deposits should be paused. Also, bothStaderStakePoolsManager.validatorBatchDeposit
andStaderStakePoolsManager.depositETHOverTargetWeight
should be paused. But onlyStaderStakePoolsManager.validatorBatchDeposit
has thewhenNotPaused
modifier.StaderStakePoolsManager.depositETHOverTargetWeight
can still be called whenStaderStakePoolsManager
is paused.Proof of Concept
When
StaderStakePoolsManager
is paused,StaderStakePoolsManager.validatorBatchDeposit
cannot be called. https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L183But
StaderStakePoolsManager.depositETHOverTargetWeight
is still able to be called. https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L215Tools Used
Manual Review
Recommended Mitigation Steps
Add the
whenNotPaused
modifier ondepositETHOverTargetWeight
Assessed type
Context