search

manifoldfinance / mevETH2

mevETH LST Protocol - Repo has migrated see link
https://github.com/MEV-Protocol/meveth
27 stars 2 forks source link

Audit: MANETH-1 #111

Closed 0xKitsune closed 1 year ago

0xKitsune commented 1 year ago

Status

Reported

Type

Vulnerability

Severity

Highest

Code Snippet:

function payValidatorWithdraw(uint256 amount) external {
    ITinyMevEth(MEV_ETH).grantValidatorWithdraw{ value: amount }();
}

function grantValidatorWithdraw() external payable {
    if (msg.sender != address(stakingModule)) revert MevEthErrors.InvalidSender();
    if (msg.value == 0) {
        revert MevEthErrors.ZeroValue();
    }
    emit ValidatorWithdraw(msg.sender, msg.value);
    if (msg.value == 32 ether) {
        return;
    }
    if (msg.value < 32 ether) {
        // assume slashed value so reduce elastic balance accordingly
        unchecked {
            fraction.elastic -= uint128(32 ether - msg.value);
        }
    } else {
        // account for any unclaimed rewards
        unchecked {
            fraction.elastic += uint128(msg.value - 32 ether);
        }
    }
}

Remediation

Add access control to WagyuStaker.sol:payValidatorWithdraw.

Description


WagyuStaker.sol:payValidatorWithdraw (L75-77)

1. payValidatorWithdraw(1 wei)
2. fraction.elastic decreases with ~32 ETH
3. Repeat 1-2 until underflow due to unchecked
4. fraction.elastic is now huge and share value is inflated
5 .withdraw all funds with tiny amount of shares
sandybradley commented 1 year ago

Fixed in a previous commit: https://github.com/manifoldfinance/mevETH2/commit/4a7d94d9f3936ffa0854ad75aa235f9fdae1c9f2