Closed code423n4 closed 1 year ago
Picodes marked the issue as duplicate of #106
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Giving unsatisfactory to this submission as it is with sufficient likelihood a direct copy of #106
Picodes marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L48-L60
Vulnerability details
Impact
Auction.createLot
allows unrestricted access. Consequently, any user can call this function, potentially leading to unintended donations of their Stader tokens. If no bidder emerges at the completion of an auction, these tokens are transferred to the treasury on line 114:Auction.sol#L106-L118
Else, the ETH proceeds go to the stake pool manager on line 102:
Auction.sol#L93-L104
Proof of Concept
createLot()
is accessible to all. Someone may create a phishing link that approves the SD token transfer and trick unaware users calling the function:Auction.sol#L48
This function is supposed to be called by
SDCollateral.slashSD
for sending the slashed amount to auction. Regrettably, the Auction contract lacks restrictions that would prevent arbitrary users from invokingcreateLot()
outside of a slashing context.Recommended Mitigation Steps
It is suggested restricting
createLot
to only the SDCollateral contract to avoid users` accidental calls.Assessed type
Access Control