search

code-423n4 / 2023-06-stader-findings

1 stars 1 forks source link

EVENT EMITTED WITHOUT ACTION #279

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Penalty.sol#L113-L115

Vulnerability details

Impact

A malicious validator can remain in the system after exceeding it's exit penalty threshold. This poses a risk to users and a possible reputation risk to the protocol.

Proof of Concept

In the updateTotalPenaltyAmount(...) function, when the validators totalPenalty exceeds the exit penalty threshold (totalPenalty >= validatorExitPenaltyThreshold) for a given validator, an event is emitted to force exist the validator but there is no logic to actually exit the validator. And as such a validator who has exceeded his ExitPenaltyThreshold can call markValidatorSettled(...) to clear out his penalty and continue malicious activities.

Tools Used

VS Code

Recommended Mitigation Steps

Also consider

totalPenalty > validatorExitPenaltyThreshold.

instead of.

totalPenalty >= validatorExitPenaltyThreshold.. 

    function updateTotalPenaltyAmount(bytes[] calldata _pubkey) external override nonReentrant {

            ...

            if (totalPenalty > validatorExitPenaltyThreshold) {
                // call a function to exit the penalised defaulter
                emit ForceExitValidator(_pubkey[i]);
            }
            ...
        }
    }

Assessed type

Other

manoj9april commented 1 year ago

Validator gets force exited via offchain, as exit process is not onchain

c4-sponsor commented 1 year ago

manoj9april marked the issue as sponsor disputed

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid