Home - Coinspect Security

TempleDAO Spoof Old Staking Contract

Total Losses

$2.3M+

Date

Network

ethereum logo ethereum

Categories

access control

Step-by-step

  1. Create a contract that does not revert when receiving a call to migrateWithdraw
  2. Call migrateStake(evilContract, MAX_UINT256) and get a lot of tokens.

Detailed Description

The protocol wanted to allow users to migrate stake from an old contract to a new one. To do that, they provided a migrateStake function:

    function migrateStake(address oldStaking, uint256 amount) external {
        StaxLPStaking(oldStaking).migrateWithdraw(msg.sender, amount);
        _applyStake(msg.sender, amount);
    }

An OK implementation of migrateWithdraw should transfer amount from msg.sender to the current contract and revert if it wasn’t able to. _applyStake would later add amount to msg.sender.

Unfortunately, it is trivial to pass an evil oldStaking contract that never reverts.

Possible mitigations

  • Store a list of valid oldStaking contract addresses and whitelist them (needs an owner if the list needs to be dynamic)