search

Stride-Labs / stride

Stride: Multichain Liquid Staking
https://stride.zone/
Apache License 2.0
186 stars 204 forks source link

AUDIT: Redemption rate limits are hardcoded #420

Closed asalzmann closed 1 year ago

asalzmann commented 1 year ago

Surfaced from @informalsystems audit of Stride at commit f9736fe0

finding: id: IF-STRIDE-STAKEIBC-REDEMPTIONRATELIMITS title: Redemption rate limits are hardcoded severity: Informational impact: None exploitability: None type: Implementation issue: status: Unresolved

Involved artifacts

Description

The way redemption rate works is it uses formula:

redemptionRate = (undelegatedBalance + stakedBalance + moduleAcctBalance)/stSupply

where the amount inside parentheses represents all the native tokens that Stride protocol owns (ATOMs for Cosmos Hub), and stSupply is staked tokens amount (stATOMs for Cosmos Hub). In the downside, slashing should be limited to ~5% so redemption rate could go down for 5% (normalized to 0.95). On the upside it's limited by the inflation (for Cosmos Hub it's 20% per year), so the expectation is for redemption rate to go up to 1.2 after one year.

Right now, the limit range is hardcoded in stakeibc/types/params.go to be between 0.9 and 1.5.

Problem Scenarios

Different chains have different inflation rates and slashing mechanisms. Also, the redemption rate limits are by nature time dependent.

Recommendation

Each host zone should dynamically specify redemption rate limits. So, consider shifting them through time.

asalzmann commented 1 year ago

Resolved https://github.com/Stride-Labs/stride/pull/606

asalzmann commented 1 year ago

This could be further improved by using a time-weighted trailing average of past redemption rates (e.g. enforce: RR should not change by more than X% per host zone, over N days)