Steal of shares using `transferSharesFrom` due to math rounding issues

[eugenioclrc]

Bug Description

The Lido protocol's documentation states that the balance of stETH is determined by the equation: staked ETH + total staking rewards - slashing. However, there exists a potential issue where, in the event of massive slashing, the result of staked ETH + total staking rewards - slashing could be less or equal than SHARES - 1. This discrepancy can be exploited by a malicious actor to abuse the transferSharesFrom method, bypassing the allowance check, thereby stealing shares from other users.

Review transferSharesFrom on StETH.sol#L353, notice that if totalSupply <= totalShares - 1, converting an asset to ether could be 0, there for is possible to bypass the _spendAllowance on StETH.sol#L357 because tokensAmount = 0 and _sharesAmount > 0

Impact

A successful exploitation of this vulnerability can lead to:

1. Direct theft of user funds, both at-rest and in-motion, excluding unclaimed yield.
2. Theft of tokenized staking yield.
3. Griefing, where the attacker may not have a profit motive but can cause damage to users or the protocol.

Risk Breakdown

Difficulty to Exploit: Easy Weakness: The transferSharesFrom method can be manipulated using specific amounts to bypass the allowance check in _spendAllowance due to math rounding issues in getPooledEthByShares.

Recommendation

It's recommended to review and adjust the math logic in getPooledEthByShares to prevent rounding issues, implement additional checks in the transferSharesFrom method to ensure that the tokensAmount is always greater than zero.

References

stETH Background Lido Rebase Math

Proof of Concept

Here is a POC written in foundry: https://gist.github.com/eugenioclrc/bd2047c1a4b8ea570d58e7a99ecd5ffe

Note from the author, this was originally posted on https://immunefi.com/ but i didnt get any rewards, after this report LIDO people conctact me and send me a small reward, thank you LIDO!!!!!