code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L125-L132 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/ValidatorWithdrawalVault.sol#L77 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/NodeELRewardVault.sol#L36

Vulnerability details

Impact

The attacker can take profit with the delayed exchange rate updating mechanism. He can deposit to the protocol to take a share of large mev reward generated by the protocol before the exchange rate update.

Proof of Concept

The getExchangeRate() function is called to calculate the shares minted to depositor. The getExchangeRate() function consults StaderOracle for two storage variables totalETHXSupply and totalETHBalance.

The totalETHBalance can be stale because the real total balance can be updated by NodeELRewardVault and ValidatorWithdrawalVault at random blocks.

The attacker can deposit to take profit when he sees a stale totalETHBalance.

Tools Used

Manual review.

Recommended Mitigation Steps

Additionally, consulting the NodeELRewardVault and ValidatorWithdrawalVault balance for a more seasonable total eth balance. Record eth change in function receiveExecutionLayerRewards and receiveWithdrawVaultUserShare.

Assessed type

MEV

c4-judge commented 1 year ago

Picodes marked the issue as primary issue

manoj9april commented 1 year ago

Exchnage rate is updated daily and considers all ETH not just staked ETH. Withdrawal delay should further disincentivize this behavior.

c4-sponsor commented 1 year ago

manoj9april marked the issue as sponsor disputed

Picodes commented 1 year ago

Indeed there are already some mitigations for this, especially the withdrawal delay and the fact that the oracle shouldn't be stale. It would have required a detailed PoC.