Any malicious users can bypass the timelock mechanism for claiming ETH. The issue lies in the claim() function, where it only checks for ethExpected to be zero and not ethFinalized.
Proof of Concept
To exploit this vulnerability, a user can initiate the process by calling the requestWithdraw function,
which sets the ethExpected value of the next withdrawal request to a specific amount of "assets."
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L174-L176 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L165-L181 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L106
Vulnerability details
high
Title: The incorrect check implemented in the UserWithdrawalManager undermines the effectiveness of the timelock for claiming ETH.
Links:
https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L174-L176 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L165-L181 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L106
Impact
Any malicious users can bypass the timelock mechanism for claiming ETH. The issue lies in the claim() function, where it only checks for ethExpected to be zero and not ethFinalized.
Proof of Concept
To exploit this vulnerability, a user can initiate the process by calling the requestWithdraw function,
which sets the ethExpected value of the next withdrawal request to a specific amount of "assets."
https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L106
With this setup, the following check inside the claim function will pass:
https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L174-L176
This allows the attacker to bypass the timelock and claim ETH without restrictions.
Recommended Mitigation Steps
Change the check inside claim() to:
Assessed type
ETH-Transfer