Closed code423n4 closed 1 year ago
Picodes marked the issue as duplicate of #221
Picodes marked the issue as partial-50
Picodes marked the issue as not a duplicate
Picodes marked the issue as duplicate of #221
Picodes changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderConfig.sol#L100 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/UserWithdrawalManager.sol#L64 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderConfig.sol#L97 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L117
Vulnerability details
links: https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderConfig.sol#L100 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/UserWithdrawalManager.sol#L64 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderConfig.sol#L97 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/UserWithdrawalManager.sol#L117
Exploitation by Malicious Users: Manipulating Gas Fees in Withdrawal Finalization
Impact
A malicious user has the ability to manipulate gas fees by creating multiple withdrawal requests with the minimum withdrawal amount. Consequently, when legitimate users attempt to finalize their transactions, they end up significantly overpaying for gas.
Presently, the finalizeUserWithdrawalRequest() function can only handle the finalization of 50 withdrawals in a single transaction. Thus, if there is a sudden surge in withdrawal requests, users are compelled to repeatedly invoke finalizeUserWithdrawalRequest(), resulting in excessive gas fees.
The execution of this attack by a malicious user is relatively inexpensive. By using 0.1 SD tokens, they can generate 1000 withdrawal requests, compelling other users to invoke finalizeUserWithdrawalRequest() 20 times before they can complete their own request.
Proof of Concept
Current Settings of Stader:
Timelock: The minimum block delay to finalize a withdrawal request is set to 600 blocks.
setVariable(MIN_BLOCK_DELAY_TO_FINALIZE_WITHDRAW_REQUEST, 600);
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderConfig.sol#L100
Cap on Withdrawals: The maximum number of request to finalize in one transaction is limited to 50.
maxRequestIdToFinalize = 50;
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/UserWithdrawalManager.sol#L64
Minimum Withdrawal Amount: The minimum withdrawal amount is set to 0.0001 ether.
setVariable(MIN_WITHDRAW_AMOUNT, 10**14);
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderConfig.sol#L97
If a malicious User creates a lot of transaction, he will force other users to overpay in gas.
Tools Used
VS Code
Recommended Mitigation Steps
Assessed type
DoS