Description:Description\
The StakingServiceBase.sol#setPoolEthInfo method accepts new config for eth pool information including the token address , the pool type and fee etc. It apparently validates every parameter and handles every possible cause .
however it fails to handle the case when the fee param given by user in eth pool info is not in some defined range and particularly very large or very low but greater than zero .
If invalid fee is entered for example if the fee is updated for uniV3 pool and the fee entered is not in the acceptable value set - fee levels: 0.05%, 0.30%, and 1% ,
then the swaps will fail targeting that pool which can temporarily stop the system's _depositEth function.
As it is a base contract , so any contract inheriting from this contract will face this issue for example , CvxAssetStakingService inheirts from this base contract so its deposit and depositET methods can be freezer with this vulnerability because the fee param provided by the owner is not correct.
Likelihoo is low
Impact is High
so markng it as medium.
Attack Scenario\
The owner of StakingServiceBase will call the setPoolEthInfo method with some invalid fee that is greater than zero and result in reverts.
Attachments
Proof of Concept (PoC) File
Please see the attack scenario section
Revised Code File (Optional)
Implement upper bound and specific values checks for each pool type and ensure that only valid values are accepted for each type of pool config.
PlamenTSV
commented
4 months ago
Github username: @0xumarkhatab Twitter username: 0xumarkhatab Submission hash (on-chain): 0x9e7d3e6658f64e6bac35f885204a474a01ef1278ef7397708688d284b003bbe1 Severity: medium
Description: Description\ The
StakingServiceBase.sol#setPoolEthInfomethod accepts new config for eth pool information including the token address , the pool type and fee etc. It apparently validates every parameter and handles every possible cause .however it fails to handle the case when the fee param given by user in eth pool info is not in some defined range and particularly very large or very low but greater than zero .
If invalid fee is entered for example if the fee is updated for uniV3 pool and the fee entered is not in the acceptable value set - fee levels: 0.05%, 0.30%, and 1% , then the swaps will fail targeting that pool which can temporarily stop the system's _depositEth function.
As it is a base contract , so any contract inheriting from this contract will face this issue for example , CvxAssetStakingService inheirts from this base contract so its deposit and depositET methods can be freezer with this vulnerability because the fee param provided by the owner is not correct.
Likelihoo is low Impact is High
so markng it as medium.
Attack Scenario\ The owner of
StakingServiceBasewill call thesetPoolEthInfomethod with some invalid fee that is greater than zero and result in reverts.Attachments
Proof of Concept (PoC) File Please see the attack scenario section
Revised Code File (Optional) Implement upper bound and specific values checks for each pool type and ensure that only valid values are accepted for each type of pool config.