Closed code423n4 closed 1 year ago
It looks like a different attack approach to the same mitigation of https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/374
0xSorryNotSorry marked the issue as primary issue
Sidu28 marked the issue as sponsor disputed
"It is not possible to change existing 0x01-type withdrawal credentials of a pubkey, even a fully exited one. Alice cannot ""stakes ETH again on BeaconChain with withdrawal credentials pointed to her own address"" if she is staking to the same validator. So there are two cases: 1) Alice stakes to the same validator, so is not overcommitted 2) Alice stakes to a different validator, so is indeed overcommitted and can be proved to be overcommitted Neither of these cases is an issue."
With the info I have, I agree with the Sponsor
GalloDaSballo marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L175-L226 https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L241-L294
Vulnerability details
Impact
verifyOvercommittedStake
for an EigenPod will be DOSed, and Attacker's shares will never be reduced even when his stake on BeaconChain gets slashed, and someone attempts to record the overcommitment.Proof of Concept
Here is the
verifyWithdrawalCredentialsAndBalance
function: L175-L226 And theverifyOvercommittedStake
function: L241-L294Imagine this scenario:
verifyWithdrawalCredentialsAndBalance
withoracleBlockNumber
of 15000,validatorIndex
that is still INACTIVE,proofs
from block 15000, andvalidatorFields
from block 15000.verifyValidatorFields
andverifyValidatorBalance
which would both pass.verifyOvercommittedStake
should decrease the podOwner's shares because the ETH which points to EigenPod has been slashed on BeaconChain.verifyOvercommittedStake
will fail because:oracleBlockNumber
older than 50400 blocksTools Used
Manual Review
Recommended Mitigation Steps
In the
verifyWithdrawalCredentialsAndBalance
function, verify against the current beaconStateRoot or a very recent beaconStateRoot as it was done inverifyOvercommittedStake
function, instead of allowing user to input an arbitraryoracleBlockNumber
:Assessed type
DoS