Full Report
The website takes a previously known vulnerability, and it explains it. You can "roll" random bugs, which is pretty neat. If you're looking to learn about new vulnerabilities in existing projects, this is a great way to learn.
Analysis Summary
# Vulnerability: Missing Checkpoint Before Staking Leading to Reward Dilution
## CVE Details
- CVE ID: N/A (Smart Contract Audit Finding)
- CVSS Score: 7.5 (High/Medium - Based on report assessment)
- CWE: CWE-682: Incorrect Calculation; CWE-1059: Insufficient Technical Documentation
## Affected Systems
- Products: Olas (formerly Autonolas) Staking Program
- Versions: May 2024 Audit Cycle
- Configurations: `StakingBase.sol` contract deployments utilizing the Olas staking mechanism.
## Vulnerability Description
The `stake()` function in the `StakingBase.sol` contract fails to call the `checkpoint()` function before a new service is added to the staking pool. In this protocol, `checkpoint()` is responsible for distributing accumulated rewards and updating `availableRewards`.
When a new service ID is staked without a prior checkpoint, rewards that were earned by previously existing participants are not "locked in" or distributed to the old participants. Consequently, once a checkpoint is eventually triggered, the rewards accumulated *before* the new participant joined are shared with the *new* participant. This results in an unfair dilution and loss of rewards for services that were already staked.
## Exploitation
- Status: PoC available (Logic flaw identified in Code4rena audit)
- Complexity: Low
- Attack Vector: Network (Interacting with the Smart Contract)
## Impact
- Confidentiality: None
- Integrity: High (Incorrect calculation and distribution of financial rewards)
- Availability: None
## Remediation
### Patches
The vulnerability is resolved by ensuring the `checkpoint()` function is invoked at the start of the `stake()` procedure.
- **Revised Code Implementation:**
solidity
function stake(uint256 serviceId) external {
// Audit Fix: Call checkpoint to distribute rewards before adding new participants
checkpoint();
// Check if there available rewards
if (availableRewards == 0) {
revert NoRewardsAvailable();
}
// ... rest of the function
}
### Workarounds
There are no effective technical workarounds within the contract itself; users must rely on the protocol maintainers to manually call `checkpoint()` frequently or patch the contract logic.
## Detection
- **Indicators of Compromise:** Staked services receiving lower-than-expected reward distributions significantly below the calculated APY upon the entry of new stakers.
- **Detection Methods:** Analysis of historical transaction logs on-chain to verify if `checkpoint()` calls consistently precede `stake()` calls.
## References
- Code4rena Audit Issue: [https://github[.]com/code-423n4/2024-05-olas-findings/issues/89]
- Vulnerable Source Code: [https://github[.]com/code-423n4/2024-05-olas/blob/3ce502ec8b475885b90668e617f3983cea3ae29f/registries/contracts/staking/StakingBase.sol#L591]