Open hats-bug-reporter[bot] opened 1 month ago
Forgot to add in the report that the protocol is going to be deployed on Polygon and Linea as well. This attack will be even easier, as the attacker can front run the deployment of the contracts and stake
.
I think this is too specific since only a singular token with weird behavior can create such impact. I believe an Orchestrator is 50/50 aware that it can cause issues, but I believe it's valid. I will give it both labels, as previous hats issues with singular weird tokens have been deemed low due to likelihood, but the impact here is high. Will leave the final severity to the sponsor.
I think this is highly unlikely but technically possible
Github username: -- Twitter username: @EgisSec Submission hash (on-chain): 0xd550ad6931bdc9f1efc508de69e199837236e00ad4e569aed416ef1d775fa619 Severity: medium
Description: Description\ The issue exists in both contracts and is technically the same, so I grouped them together.
Both
LM_PC_Staking_v1
andLM_PC_KPIRewarder_v1
have astake
function.In both functions
stake
is of typeuint = uint256
. There are some tokens like cUSDCv3 that have a special case in their transfer logic.If the amount specified is
type(uint256).max
then the entire balance ofsrc
will be transfered.This is in issue in Inverter, as the above
stake
functions use theamount
passed as is, meaning iftype(uint256).max
is set, then that's how much the code will credit to the user.This allows for the first depositor in both contracts to completely brick the contracts, as in botch cases if another user stakes, a value will overflow, reverting the tx.
This is especially problematic if rewards are already sent to the contract, as it will make withdrawing them impossible. The owner will lose 100% of them.
The scenario isn't so uncommon as cUSDCv3 has a market cap of $62m, so it's not a niche token and the protocol states that it doesn't support fee-on transfer, rebsing or ERC777 tokens and cUSDCv3 is neither.
Similar issues: Codehawks Sherlock
Attack Scenario\
LM_PC_KPIRewarder_v1
is deployed and the token is cUSDCv3.stake
withamount = type(uint256).max
.totalQueuedFunds
is now equal totype(uint256).max
so anyone that callsstake
will overflow the value and revert the tx.The same scenario happens in
LM_PC_Staking_v1
,totalSupply
will be set totype(uint256).max
and no one else can stake after that and the reward tokens will again be stuck.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Change
amount
to typeuint128
.