When deploying a contract in PermissionlessNodeRegistry.deployNodeELRewardVault(), an attacker can find out in advance the address of the future deployed contract and deploy his own at this address

[code423n4]

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PermissionlessNodeRegistry.sol#L106-L109 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/factory/VaultFactory.sol#L48-L60

Vulnerability details

Impact

The address of the new contract depends solely on the _salt parameter, which is calculated from user-provided data. Once a user's create transaction is broadcast, the parameters for calculating _salt can be viewed by anyone viewing the public mempool. This would result in an attacker being able to steal a share of the operator's reward and manipulate the distribution of the user and protocol reward.

Tools Used

Manual audit

Recommended Mitigation Steps

Consider making the upcoming pool address a specific user by concatenating the salt value with the user's address. bytes32 salt = sha256(abi.encode(_poolId, _operatorId, _validatorCount, msg.sender));

Assessed type

Governance

[Picodes]

This function is permissioned: see the modifier.

[c4-judge]

Picodes marked the issue as unsatisfactory: Insufficient proof