A malicious validator can remain in the system after exceeding it's exit penalty threshold. This poses a risk to users and a possible reputation risk to the protocol.
Proof of Concept
In the updateTotalPenaltyAmount(...) function, when the validators totalPenalty exceeds the exit penalty threshold (totalPenalty >= validatorExitPenaltyThreshold) for a given validator, an event is emitted to force exist the validator but there is no logic to actually exit the validator. And as such a validator who has exceeded his ExitPenaltyThreshold can call markValidatorSettled(...) to clear out his penalty and continue malicious activities.
Tools Used
VS Code
Recommended Mitigation Steps
Also consider
totalPenalty > validatorExitPenaltyThreshold.
instead of.
totalPenalty >= validatorExitPenaltyThreshold..
function updateTotalPenaltyAmount(bytes[] calldata _pubkey) external override nonReentrant {
...
if (totalPenalty > validatorExitPenaltyThreshold) {
// call a function to exit the penalised defaulter
emit ForceExitValidator(_pubkey[i]);
}
...
}
}
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Penalty.sol#L113-L115
Vulnerability details
Impact
A malicious validator can remain in the system after exceeding it's exit penalty threshold. This poses a risk to users and a possible reputation risk to the protocol.
Proof of Concept
In the
updateTotalPenaltyAmount(...)
function, when the validators totalPenalty exceeds the exit penalty threshold (totalPenalty >= validatorExitPenaltyThreshold
) for a given validator, an event is emitted to force exist the validator but there is no logic to actually exit the validator. And as such a validator who has exceeded his ExitPenaltyThreshold can callmarkValidatorSettled(...)
to clear out his penalty and continue malicious activities.Tools Used
VS Code
Recommended Mitigation Steps
Also consider
totalPenalty > validatorExitPenaltyThreshold.
instead of.
totalPenalty >= validatorExitPenaltyThreshold.
.Assessed type
Other