Closed code423n4 closed 1 year ago
manoj9april marked the issue as sponsor acknowledged
Intention is to have 70% of total active validator in permissionless pool (assuming target is 70%). Total active validator count may change depending on the execution of validator batch deposit. We don't see any harm in that.
manoj9april marked the issue as disagree with severity
The described impact doesn't qualify for Medium severity in my opinion. The fact that actions are not path independent is not an issue in itself.
Picodes marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PoolSelector.sol#L50 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L199
Vulnerability details
Impact
When calling
StaderStakePoolsManager.validatorBatchDeposit
, it callsPoolSelector.computePoolAllocationForDeposit
to get the validator count to deposit for the pool. It calculates the count based on the capacity and the weight of the pool. However,PoolSelector.computePoolAllocationForDeposit
could return an unfair value due to the different poolDepositSize between the pools.Proof of Concept
StaderStakePoolsManager.validatorBatchDeposit
callsPoolSelector.computePoolAllocationForDeposit
to get the validator count to deposit for the pool. https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L199PoolSelector.computePoolAllocationForDeposit
calculates the count based on the capacity and the weight of the pool. https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderStakePoolsManager.sol#L199Suppose that
availableETHForNewDeposit
is 1600 ETH and the weight of the permissioned pool and the weight of the permissionless pool are the same. And no ETH has been sent to the pools:Let’s do it again in a different order:
We can find out that the permissionless pool can only activate 26 validators if validatorBatchDeposit(2) is called first. It indicates that
computePoolAllocationForDeposit
could cause unfairness.Tools Used
Manual Review
Recommended Mitigation Steps
The mitigation depends on how Stader wants to distribute the ETH based on the weight. If the weight should reflect the amount of ETH received by the pool. Then
poolTotalTarget
should be calculated based on the total received ETH amount instead of thetotalValidatorsRequired
since_newValidatorToRegister
is calculated based onpoolDepositSize
. For instance, the calculation can be modified like:Assessed type
Math