search

hats-finance / StakeWise-0xd91cd6ed6c9a112fdc112b1a3c66e47697f522cd

Liquid staking protocol for Ethereum
Other
0 stars 0 forks source link

Users in EthGenesisVault gain more than users in of StakeWise v2 #124

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @0xmahdirostami Submission hash (on-chain): 0x3d2c2c7c13630e5a2800350391d904c78b2abc04f1c525f0dbbf8d0fc2125a42 Severity: high

Description: Description\

In EthGenesisVault, updateState() calculated in this way, https://github.com/stakewise/v3-core/blob/c82fc57d013a19967576f683c5e41900cbdd0e67/contracts/vaults/ethereum/EthGenesisVault.sol#L99-L133

    uint256 totalPrincipal = _totalAssets + legacyPrincipal;
    if (totalAssetsDelta < 0) {
      // calculate and update penalty for legacy pool
      int256 legacyPenalty = SafeCast.toInt256(
        Math.mulDiv(uint256(-totalAssetsDelta), legacyPrincipal, totalPrincipal)
      );
      _rewardEthToken.updateTotalRewards(-legacyPenalty);
      // deduct penalty from total assets delta
      totalAssetsDelta += legacyPenalty;
    } else {
      // calculate and update reward for legacy pool
      int256 legacyReward = SafeCast.toInt256(
        Math.mulDiv(uint256(totalAssetsDelta), legacyPrincipal, totalPrincipal)
      );
      _rewardEthToken.updateTotalRewards(legacyReward);
      // deduct reward from total assets delta
      totalAssetsDelta -= legacyReward;

and _totalAssets is used for the calculation of totalPrincipal. any change in _totalAssetsaffects totalAssetsDeltafor EthGenesisVault and legacyRewardfor StakeWise v2. _totalAssetscould be changed by updatestate() so in the next updatestate() totalAssetsDeltawill be changed.

The problem is totalAssetsDeltawhich increases totalAssets to gain more rewards for the next updatestate(), But It's fair if totalAssetsDelta(ETH) is used by validators or exits.

Attack Scenario\

Consider the following scenario totalAssetsDelta is worth 31 ETH, so _totalAssets is increased by 31 ETH, but this 31 ETH isn't used by vault so they aren't creating more rewards (but it is calculated in the formula).

iMPACT\

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

    This issue arises in EthGenesisVault because it uses _totalAssets for splitting. In the updatestate() formula don't use _totalAssets for calculation.

tsudmi commented 1 year ago

Sorry I don't understand what's an issue here. Please provide better example of an attack

0xmahdirostami commented 1 year ago

Please close this one