Detailed description of the impact of this finding.
wrong calculation of totalStakes in mintStakes.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
function mintStakes(address account, uint256 rsrAmount) private {
// This is not an overflow risk according to our expected ranges:
// rsrAmount <= 1e29, totalStaked <= 1e38, 1e29 1e38 < 2^256.
// stakeAmount: how many stRSR the user shall receive.
// pick stakeAmount as big as we can such that (newTotalStakes <= newStakeRSR stakeRate)
uint256 newStakeRSR = stakeRSR + rsrAmount;
// newTotalStakes: {qStRSR} = D18{qStRSR/qRSR} {qRSR} / D18
uint256 newTotalStakes = (stakeRate newStakeRSR) / FIX_ONE;
uint256 stakeAmount = newTotalStakes - totalStakes;
// Transfer RSR from account to this contract
stakeRSR += rsrAmount;
_mint(account, stakeAmount);
emit Staked(era, account, rsrAmount, stakeAmount);
}
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/StRSR.sol#L722
Vulnerability details
Impact
Detailed description of the impact of this finding. wrong calculation of totalStakes in mintStakes.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
function mintStakes(address account, uint256 rsrAmount) private { // This is not an overflow risk according to our expected ranges: // rsrAmount <= 1e29, totalStaked <= 1e38, 1e29 1e38 < 2^256. // stakeAmount: how many stRSR the user shall receive. // pick stakeAmount as big as we can such that (newTotalStakes <= newStakeRSR stakeRate) uint256 newStakeRSR = stakeRSR + rsrAmount; // newTotalStakes: {qStRSR} = D18{qStRSR/qRSR} {qRSR} / D18 uint256 newTotalStakes = (stakeRate newStakeRSR) / FIX_ONE; uint256 stakeAmount = newTotalStakes - totalStakes;
Tools Used
Recommended Mitigation Steps
totalStakes=newTotalStakes
Assessed type
Context