When deploying a contract in PermissionlessNodeRegistry.deployNodeELRewardVault(), an attacker can find out in advance the address of the future deployed contract and deploy his own at this address #370
The address of the new contract depends solely on the _salt parameter, which is calculated from user-provided data. Once a user's create transaction is broadcast, the parameters for calculating _salt can be viewed by anyone viewing the public mempool. This would result in an attacker being able to steal a share of the operator's reward and manipulate the distribution of the user and protocol reward.
Tools Used
Manual audit
Recommended Mitigation Steps
Consider making the upcoming pool address a specific user by concatenating the salt value with the user's address.
bytes32 salt = sha256(abi.encode(_poolId, _operatorId, _validatorCount, msg.sender));
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PermissionlessNodeRegistry.sol#L106-L109 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/factory/VaultFactory.sol#L48-L60
Vulnerability details
Impact
The address of the new contract depends solely on the _salt parameter, which is calculated from user-provided data. Once a user's create transaction is broadcast, the parameters for calculating _salt can be viewed by anyone viewing the public mempool. This would result in an attacker being able to steal a share of the operator's reward and manipulate the distribution of the user and protocol reward.
Tools Used
Manual audit
Recommended Mitigation Steps
Consider making the upcoming pool address a specific user by concatenating the salt value with the user's address. bytes32 salt = sha256(abi.encode(_poolId, _operatorId, _validatorCount, msg.sender));
Assessed type
Governance