c4-judge
commented
1 year ago GalloDaSballo marked the issue as duplicate of #702
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago GalloDaSballo marked the issue as duplicate of #702
c4-judge
commented
1 year ago GalloDaSballo marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L236 https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MultisigManager.sol#L67
Vulnerability details
Impact
All pools get assigned to the same multisig, assuming the protocol runs at least 1 active pool every time. Every minipool created is assigned a multisig, which cannot be changed later. The protocol selects a multisig for this using
MinipoolManager.requireNextActiveMultisig, which returns the first enabled multisig.To configure, such that any new pool gets assigned a new multisig, the previous has to be disabled. But comments indicate that disabling a multisig, will also disable validations by any pools that have that multisig.
The code doesn't contain any function to reassign a pool to a new multisig. So, if the protocol always has at least 1 minipool running, it becomes impossible to change the multisig.
Proof of Concept
Creating a new pool will assign to it the first enables multisig. Any new pool created from when this pool started to when this pool ends, will have the same multisig, since disabling that multisig to change to another, will disable validation by the earlier pool. So, assuming the protocol always has 1 pool active, that multisig could never be changed.
Tools Used
Manual inspection
Recommended Mitigation Steps
Add a function to reassign all pools of a to-be-disabled multisig to a different multisig. This may include logic to transfer the staking funds plus any rewards, from the old multisig to the new multisig, through the reassigning function.