StaderOracle uses data feeds for checking ETH balance and ETHX supply values, but it doesn't perform a validation to check their correctness, and can result in incorrect results or stale data.
Those values are used to update the exchangeRate storage value from the StaderOracle.
And ultimately used by the StaderStakePoolsManager to calculate assets and shares conversions for deposits and withdrawals. Thus the importance of accurate values.
Impact
Incorrect calculation of amount of shares and assets on deposits and withdrawals from StaderStakePoolsManager, and UserWithdrawalManager at the expense of either the user or the protocol.
Proof of Concept
StaderOracle does not check for stale results or their correctness on the latestRoundData(). These values come from Data Feeds.
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646-L649 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L164-L165 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L676 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L679-L686 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L616-L618 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L271-L277 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L294-L298 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L169-L177 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/UserWithdrawalManager.sol#L95-L111
Vulnerability details
StaderOracle
uses data feeds for checking ETH balance and ETHX supply values, but it doesn't perform a validation to check their correctness, and can result in incorrect results or stale data.Those values are used to update the
exchangeRate
storage value from theStaderOracle
.And ultimately used by the
StaderStakePoolsManager
to calculate assets and shares conversions for deposits and withdrawals. Thus the importance of accurate values.Impact
Incorrect calculation of amount of shares and assets on deposits and withdrawals from
StaderStakePoolsManager
, andUserWithdrawalManager
at the expense of either the user or the protocol.Proof of Concept
StaderOracle
does not check for stale results or their correctness on thelatestRoundData()
. These values come from Data Feeds.Link to code
These values are retrieved and updated on
updateERFromPORFeed()
:Link to code
Which calls
_updateExchangeRate
:Link to code
And updates the
exchangeRate
storage variable:Link to code
This value will be retrieved via
getExchangeRate()
:Link to code
The contract that retrieves that value is the
StaderStakePoolsManager
.It is ultimately used to calculate the
previewDeposit()
and thepreviewWithdraw()
:Link to code
Link to code
previewDeposit()
is used on thedeposit()
function to calculate the shares that will be minted to the depositor:Link to code
previewWithdraw()
is used byUserWithdrawalManager
to calculate theassets
, and ultimately theethExpected
to be received.Link to code
Assets and shares calculation on deposits and withdrawals are at the expense of the user or the protocol, and thus the importance of their accuracy.
Tools Used
Manual Review
Recommended Mitigation Steps
Verify the results returned on the
latestRoundData
, checkingroundId
,updatedAt
for stale results, andanswer
for incorrect results as0
.Assessed type
Oracle