Skip to content

Latest commit

 

History

History
41 lines (32 loc) · 1.64 KB

File metadata and controls

41 lines (32 loc) · 1.64 KB

TempleDAO Spoof Old Staking Contract

Step-by-step

  1. Create a contract that does not revert when receiving a call to migrateWithdraw
  2. Call migrateStake(evilContract, MAX_UINT256) and get a lot of tokens.

Detailed Description

The protocol wanted to allow users to migrate stake from an old contract to a new one. To do that, they provided a migrateStake function:

    function migrateStake(address oldStaking, uint256 amount) external {
        StaxLPStaking(oldStaking).migrateWithdraw(msg.sender, amount);
        _applyStake(msg.sender, amount);
    }

An OK implementation of migrateWithdraw should transfer amount from msg.sender to the current contract and revert if it wasn't able to. _applyStake would later add amount to msg.sender.

Unfortunately, it is trivial to pass an evil oldStaking contract that never reverts.

Possible mitigations

  • Store a list of valid oldStaking contract addresses and whitelist them (needs an owner if the list needs to be dynamic)

Diagrams and graphs

Entity and class diagram

PlantUML

Sources and references