Closed code423n4 closed 1 year ago
Picodes marked the issue as primary issue
Exchnage rate is updated daily and considers all ETH not just staked ETH. Withdrawal delay should further disincentivize this behavior.
manoj9april marked the issue as sponsor disputed
Indeed there are already some mitigations for this, especially the withdrawal delay and the fact that the oracle shouldn't be stale. It would have required a detailed PoC.
Picodes marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L125-L132 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/ValidatorWithdrawalVault.sol#L77 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/NodeELRewardVault.sol#L36
Vulnerability details
Impact
The attacker can take profit with the delayed exchange rate updating mechanism. He can deposit to the protocol to take a share of large mev reward generated by the protocol before the exchange rate update.
Proof of Concept
The getExchangeRate() function is called to calculate the shares minted to depositor. The getExchangeRate() function consults StaderOracle for two storage variables totalETHXSupply and totalETHBalance.
The totalETHBalance can be stale because the real total balance can be updated by NodeELRewardVault and ValidatorWithdrawalVault at random blocks.
The attacker can deposit to take profit when he sees a stale totalETHBalance.
Tools Used
Manual review.
Recommended Mitigation Steps
Additionally, consulting the NodeELRewardVault and ValidatorWithdrawalVault balance for a more seasonable total eth balance. Record eth change in function receiveExecutionLayerRewards and receiveWithdrawVaultUserShare.
Assessed type
MEV