Open c4-submissions opened 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #4
raymondfam marked the issue as duplicate of #514
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDeV2.sol#L100 https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDeV2.sol#L116
Vulnerability details
Impact
If there are two users and one of them has a non-zero allowance from the other, then it is possible for the first one to delay the unstake eta of the second one indefinitely.
Proof of Concept
When users call [StakedUSDeV2, function cooldownAssets]() and [function cooldownShares](), the
cooldownEnd
of the givenowner
position is extended bycooldownDuration
.StakedUSDeV2, function cooldownAssets
However, as the
owner
is user-controlled and the only place that the relation betweenmsg.sender
andowner
is checked is when_withdraw
is called, which calls the upper method in the OZ ERC4626 contract:if the allowance is non-zero, then unstake eta of
owner
can be delayed indefinitely bymsg.sender
, as the possible amount that can be withdrawn can be as low as1 wei
. He can set the allowance to0
, it's true, but our malicious user can front-run him and withdraw all of his allowance in batches of1 wei
, leading to a loss of funds (not exactly, as the stake can be claimed once the time passes, but depending on the allowance it may be a few weeks after the expected cooldown eta or in 1000 years).Recommended Mitigation Steps
I would remove the possibility of delegates between both users, that is, I would make it possible just for user A to cooldown their own assets and not the assets of any other user:
Assessed type
Access Control