Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary User won't be able to stake on Behalf of Staker despite correct User Signature Intent #109

Open
c4-bot-2 opened this issue Mar 2, 2024 · 3 comments
Open

Arbitrary User won't be able to stake on Behalf of Staker despite correct User Signature Intent #109

c4-bot-2 opened this issue Mar 2, 2024 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_24_group AI based duplicate group recommendation

Comments

@c4-bot-2
Copy link
Contributor

c4-bot-2 commented Mar 2, 2024

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L660

Vulnerability details

Proof of Concept

The UniStaker contract facilitates staking in multiple ways:

  1. stake: Directly used by the staker to stake UNI tokens into the UniStaker Contract.

  2. permitAndStake: Enables the staker to sign an ECDSA signature permitting the contract to transfer and stake tokens.

  3. stakeOnBehalf: Intended for staking UNI tokens on behalf of another user, utilizing a provided user intent signature.

However, look at Natspec of stakeOnBehalf function which reveals an important point:

@->   /// @notice Stake tokens to a new deposit on behalf of a user, using a signature to validate the
      /// user's intent. The caller must pre-approve the staking contract to spend at least the
      /// would-be staked amount of the token.


@->   /// @param _depositor Address of the user on whose behalf this stake is being made.


      function stakeOnBehalf(

Here, it's clearly written that caller must pre-approve the staking contract to spend at least the would-be staked amount of the token..

Consider the following scenario:

  1. Alice intends to stake X UNI tokens on behalf of Bob.
  2. Bob signs the staking transaction and sends the signature to Alice.
  3. Alice, as the caller, proceeds to invoke stakeOnBehalf, ensuring pre-approval of X tokens to the contract.
  4. During execution, upon reaching the _stake function, funds transfer occurs from Bob to the designated _surrogate address, rather than from Alice to _surrogate, resulting in failure to stake funds on behalf of Bob because of following line.
660:    _stakeTokenSafeTransferFrom(_depositor, address(_surrogate), _amount);

Link to Code

This way, Alice fails to stake funds on behalf of Bob.

Impact

Inability to allow others to stake funds on behalf of user, despite possessing the correct signature (user intent).

Tools Used

VS Code

Recommended Mitigation Steps

Update the _stake function as follows to permit any entity to stake on behalf of a user, provided they possess the user's intent:

     function _stake(address _depositor, uint256 _amount, address _delegatee, address _beneficiary)
    internal
    returns (DepositIdentifier _depositId)
  {
      // SNIP //

-     _stakeTokenSafeTransferFrom(_depositor, address(_surrogate), _amount);
+     _stakeTokenSafeTransferFrom(msg.sender, address(_surrogate), _amount);

Assessed type

Context
@c4-bot-2 c4-bot-2 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 2, 2024
c4-bot-8 added a commit that referenced this issue Mar 2, 2024
@c4-bot-8
Breeje issue #109
f3671a2
@c4-bot-11 c4-bot-11 added the 🤖_24_group AI based duplicate group recommendation label Mar 5, 2024
@MarioPoneder
Copy link

Working as intended. Someone else pays for transaction stakeOnBehalf while funds are still transferred from _depositor.
However, the doc/comment is misleading, therefore valid QA.

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 7, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder changed the severity to QA (Quality Assurance)

@MarioPoneder MarioPoneder mentioned this issue Mar 14, 2024
Open
@c4-judge
Copy link
Contributor

MarioPoneder marked the issue as grade-b

@C4-Staff C4-Staff reopened this Mar 27, 2024
@C4-Staff C4-Staff added grade-a and removed grade-b labels Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_24_group AI based duplicate group recommendation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MarioPoneder @c4-judge @C4-Staff @c4-bot-2 @c4-bot-11