TempleDAO Spoof Old Staking Contract
Total Losses
$2.3M+
Date
Network
Categories
access controlStep-by-step
- Create a contract that does not revert when receiving a call to
migrateWithdraw
- Call
migrateStake(evilContract, MAX_UINT256)
and get a lot of tokens.
Detailed Description
The protocol wanted to allow users to migrate stake from an old contract to a new one. To do that, they provided a migrateStake
function:
function migrateStake(address oldStaking, uint256 amount) external {
StaxLPStaking(oldStaking).migrateWithdraw(msg.sender, amount);
_applyStake(msg.sender, amount);
}
An OK implementation of migrateWithdraw
should transfer amount
from msg.sender
to the current contract and revert if it wasn’t able to. _applyStake
would later add amount
to msg.sender
.
Unfortunately, it is trivial to pass an evil oldStaking
contract that never reverts.
Possible mitigations
- Store a list of valid
oldStaking
contract addresses and whitelist them (needs anowner
if the list needs to be dynamic)