Closed c4-bot-3 closed 1 month ago
This report lacks sufficient proof and, in contrast to https://github.com/code-423n4/2024-07-reserve-findings/issues/39, does not mention the root cause of the vulnerability.
Hey @thereksfour thanks so much for your time.
Instants operation are always being a problem and lead to vulnerabilities, in this report im talking about some risk and manipulation doing stake and then canceling the stake, #39 vuln in finding repo you can see the steps for execute the vuln:
unstakes everything
stakes one token
stakes one token again
Im not mention here the principal root cause since im pointing out different issues here, that why im arguing for a partial 50.
Thanks so much, hope dont bother you
This won't happen, unstake reduces stakeRSR while also reducing totalStakes in _burn, so this doesn't make honest users loss.
- The transaction of the honest user go through with a less mint StRSR token than it should be.
Hey @thereksfour let some comments in this new https://github.com/code-423n4/2024-07-reserve-findings/issues/21 medium , my issue looks more similar to the number 21.
Sorry for bother you.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/StRSR.sol#L259
Vulnerability details
The
StRSR
is putting users in a quote is the user want towithdraw
, this prevent an attacker todeposit
andwithdraw
in the same timestamp and perform some manipulations front running a tx and then backruning.The problem is that users can call
unstake
frontrunning a tx and then backrun withcancelUnstake
to perform manipulation. See impactImpact
Attacker first have to
stake
, then he can call freelyunstake
andcancelUnstake
manipulating some important state variable astotalDrafts
,draftRSR
and the most importantstakeRSR
with that been said all functions that use this variables can be front runed doing some damage.See the next scenario:
stake
(if user have good amount of money this could be so dangerous) in theStRSR
.stake
son rtoken.unstaking
manipulating thestakeRSR
Proof of Concept
See the
unstake
:[Link]
See the
cancelUnstake
:[Link]
As you can see there is nothing to prevent call
unstake
andcancelUnstake
in the same timestamp modifying the variables mention in the impact.The
mint
andburn
function are directly modifying thestakeRSR
variable and the other can be see it in the arrows above.Tools Used
Manual
Recommended Mitigation Steps
Consider Add some mechanism to prevent an user to
unstake
andcancelUnstake
in the same timestamp. Other solution is completely removecancelUnstake
Assessed type
Error