🕷️Example Vulnerability 3

Book an audit with Zokyo

Vulnerability Overview: Double Accounting and Emergency Exit Offsets in Liquid Staking

Code4rena Bug Bounty Payout

Withheld ETH shoud not be sent back to the frxETHMinter contract itself · Issue #221 · code-423n4/2022-09-frax-findingsGitHub

`recoverEther` not updating `currentWithheldETH` breaks calculation of withheld amount for further deposits · Issue #346 · code-423n4/2022-09-frax-findingsGitHub

1. Double Accounting Vulnerability

• Description:

  • Within the staking mechanism, a specific process is designed to convert deposited assets into their corresponding synthetic representations. A potential flaw arises from the interaction between a function that moves assets from the contract and the receiving function of the contract.

  • The moving function can transfer assets without checking if the recipient is the staking contract itself. When the asset reaches the staking contract, the receiving function triggers a conversion into the synthetic asset.

  • The core issue arises when the asset, initially held and already converted to its synthetic representation, gets sent back to the contract. This action inadvertently causes a re-conversion into the synthetic form, leading to the same assets being counted multiple times and thereby distorting the intended 1:1 peg between the real asset and its synthetic counterpart.

• Impact:

  • This vulnerability could lead to a scenario where there is more of the synthetic asset in circulation than the actual underlying asset, potentially undermining trust in the synthetic representation and destabilizing the system's financial equilibrium.

2. Emergency Exit Offsetting

• Description:

  • An emergency function allows the system's owner to retrieve assets under abnormal circumstances. However, this function doesn't update a specific parameter that tracks the amount of withheld assets. When users continue depositing post the emergency recovery, there's a discrepancy between the actual and recorded withheld assets.

  • Specifically, if an emergency retrieval event occurs, and the asset balance resets, but the withheld asset parameter remains unchanged. Subsequent deposits then inflate the amount of withheld assets inaccurately.

• Impact:

  • In situations where the emergency retrieval function is used, subsequent deposits or actions based on the withheld assets will be inaccurate. This discrepancy can cause incorrect amounts being deposited into other associated contracts or being moved to other platforms, leading to direct financial implications and skewing the desired asset ratios.

Mitigation:

• For the double accounting issue: Implement a distinct non-feedback payable function that can receive specific asset amounts without activating the conversion logic, thus preventing unintended duplication.

• For the emergency exit offset: The emergency retrieval function should be revised to adjust the withheld asset parameter accordingly. This ensures that the recorded and real amounts of withheld assets are consistent.

Why Is This a Problem in Liquid Staking? Liquid staking systems heavily rely on the principle that synthetic assets remain pegged 1:1 with their underlying real assets. Any vulnerability or oversight that threatens this peg introduces systemic risk. Users and stakeholders must have confidence that their synthetic assets can always be exchanged for the promised underlying asset. Discrepancies, whether due to double accounting or emergency exit offsets, can lead to financial loss, reputational damage, and a decline in trust in the platform.