code-423n4 / 2023-04-eigenlayer-findings

1 stars 1 forks source link

Attacker can make his stake immune to `verifyOvercommittedStake`. #370

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L175-L226 https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L241-L294

Vulnerability details

Impact

verifyOvercommittedStake for an EigenPod will be DOSed, and Attacker's shares will never be reduced even when his stake on BeaconChain gets slashed, and someone attempts to record the overcommitment.

Proof of Concept

Here is the verifyWithdrawalCredentialsAndBalance function: L175-L226 And the verifyOvercommittedStake function: L241-L294

Imagine this scenario:

Tools Used

Manual Review

Recommended Mitigation Steps

In the verifyWithdrawalCredentialsAndBalance function, verify against the current beaconStateRoot or a very recent beaconStateRoot as it was done in verifyOvercommittedStake function, instead of allowing user to input an arbitrary oracleBlockNumber:

require(oracleBlockNumber + VERIFY_OVERCOMMITTED_WINDOW_BLOCKS >= block.number,
            "EigenPod.verifyOvercommittedStake: specified blockNumber is too far in past");

Assessed type

DoS

0xSorryNotSorry commented 1 year ago

It looks like a different attack approach to the same mitigation of https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/374

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as primary issue

c4-sponsor commented 1 year ago

Sidu28 marked the issue as sponsor disputed

Sidu28 commented 1 year ago

"It is not possible to change existing 0x01-type withdrawal credentials of a pubkey, even a fully exited one. Alice cannot ""stakes ETH again on BeaconChain with withdrawal credentials pointed to her own address"" if she is staking to the same validator. So there are two cases: 1) Alice stakes to the same validator, so is not overcommitted 2) Alice stakes to a different validator, so is indeed overcommitted and can be proved to be overcommitted Neither of these cases is an issue."

GalloDaSballo commented 1 year ago

With the info I have, I agree with the Sponsor

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient proof