Open howlbot-integration[bot] opened 1 month ago
Picodes changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by Picodes
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/rollup/BOLDUpgradeAction.sol#L341-#L363 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/rollup/RollupCore.sol#L274-#L279
Vulnerability details
Impact
During the process of upgrading the rollup contract, there exists a potential issue where the number of stakers exceeds the expected limit by the protocol. The function responsible for refunding existing stakers, pausing and upgrading the old rollup, uses a check to ensure the stakers count does not exceeds 50. However the rollup itself does not include any preventative measures to ensure that the number of stakers does not surpass this limit when creating a new stakes
RollupCore.createnewStake()
. As a result, if the number of stakers exceeds 50, only the first 50 stakers will be force refunded, while the rest may not receive their refunds.As I understand the expectations are that the number of stakers will not get close to this number, nothings prevents this to happen. Stakers beyond the initial 50 may not receive their refunds during the upgrade process, leading to potential financial losses and dissatisfaction among affected stakeholders. Failure to ensure fair treatment of all stakers could erode trust in the smart contract system and damage the project's reputation within the community.
Proof of Concept
The provided code snippet illustrates the logic for handling the upgrade process and force refunding the stakers. It is shown how the
stakerCount
is hardcoded to 50 if it exceeds that number:Tools Used
Manual review
Recommended Mitigation Steps
Implementing an upper bound for stakers when creating a new stake in the
RollupCore::createNewStake()
function can help mitigate the risk of exceeding the staker limit during rollup upgradesAssessed type
Invalid Validation