search

code-423n4 / 2024-03-gitcoin-mitigation-findings

0 stars 0 forks source link

QA (previous Issue #15) MitigationConfirmed #6

Open c4-bot-7 opened 7 months ago

c4-bot-7 commented 7 months ago

Lines of code

Vulnerability details

In previous code, as long as 90 days has passed from lastBurnTimestamp, anyone can call lockAndBurn to burn the funds, however, the 90 days here may include the time which the protocol is paused, making the real time for user to appeal and receive slashed funds less than 90 days.

In the mitigation, lockAndBurn can only be called by BURNER_ROLE:

https://github.com/gitcoinco/id-staking-v2/blob/7c19717aeab91a0166fc1ca50f443ee2ce7483f0/contracts/IdentityStaking.sol#L620

  function lockAndBurn() external onlyRole(BURNER_ROLE) whenNotPaused {

In this case, the protcol can monitor the paused time in certain currentSlashRound, and once 90 days has passed from lastBurnTimestamp, the monitor can wait that paused time then call lockAndBurn, which means any users got slashed in that currentSlashRound or before that currentSlashRound will have enough time (90 days) to appeal.

c4-judge commented 7 months ago

GalloDaSballo marked the issue as satisfactory

c4-judge commented 7 months ago

GalloDaSballo marked the issue as confirmed for report

c4-judge commented 7 months ago

GalloDaSballo marked the issue as not confirmed for report