function payValidatorWithdraw(uint256 amount) external {
ITinyMevEth(MEV_ETH).grantValidatorWithdraw{ value: amount }();
}
function grantValidatorWithdraw() external payable {
if (msg.sender != address(stakingModule)) revert MevEthErrors.InvalidSender();
if (msg.value == 0) {
revert MevEthErrors.ZeroValue();
}
emit ValidatorWithdraw(msg.sender, msg.value);
if (msg.value == 32 ether) {
return;
}
if (msg.value < 32 ether) {
// assume slashed value so reduce elastic balance accordingly
unchecked {
fraction.elastic -= uint128(32 ether - msg.value);
}
} else {
// account for any unclaimed rewards
unchecked {
fraction.elastic += uint128(msg.value - 32 ether);
}
}
}
Remediation
Add access control to WagyuStaker.sol:payValidatorWithdraw.
Description
WagyuStaker.sol:payValidatorWithdraw (L75-77)
1. payValidatorWithdraw(1 wei)
2. fraction.elastic decreases with ~32 ETH
3. Repeat 1-2 until underflow due to unchecked
4. fraction.elastic is now huge and share value is inflated
5 .withdraw all funds with tiny amount of shares
Status
Reported
Type
Vulnerability
Severity
Highest
Code Snippet:
Remediation
Add access control to WagyuStaker.sol:payValidatorWithdraw.
Description