Open code423n4 opened 1 year ago
GalloDaSballo marked the issue as duplicate of #136
GalloDaSballo marked the issue as not a duplicate
GalloDaSballo changed the severity to 3 (High Risk)
GalloDaSballo changed the severity to 2 (Med Risk)
GalloDaSballo marked the issue as primary issue
Making primary for the inability to slash if price drops because of coded POC which is well presented
The Warden has shown a risk to the protocol, in cases in which the price of GPP drops too low, slashing could not be performed.
In contrast to other reports, this is a finding that shows an issue with the system and it's consequences, more so than an economic attack
For this reason I believe Medium to be the most appropriate Severity
GalloDaSballo marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/Staking.sol#L379-L383
Vulnerability details
Description
When creating a minipool the node operator is required to put up a collateral in
GGP
, the protocol token. The amount ofGGP
collateral needed is currently calculated to be 10% of theAVAX
staked. This is calculated using the price ofGGP - AVAX
.If the node operator doesn't have high enough availability and doesn't get any rewards the protocol will slash their
GGP
collateral to reward liquid stakers. This is also calculated using the price ofGGP - AVAX
:This is then subtracted from their staked amount:
The issue is that the current staked amount is never checked so the
subUint
can fail due to underflow if the price has changed since the minipool was created/recreated.Impact
If a node operator doesn't have enough collateral, possibly caused by price changes in
GGP
during slashing they evade slashing all together.Its even possible for the node operator to foresee this and manipulate the price of
GGP
just prior to the period ending if they know that they are going to be slashed.Proof of Concept
PoC test in
MinipoolManager.t.sol
:The only thing the protocol can do now is to call
recordStakingError
for the minipool, since no other state changes are allowed. This will return the staked funds but it will not slash theGGP
amount for the node operator. Hence the node operator has evaded the slashing.Tools Used
vs code, forge
Recommended Mitigation Steps
If the amount to be slashed is greater than what the node operator has staked, slash all their stake.