If an edge or assertion gets slashed, some depositors to the stakingPool will be cheated.

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/assertionStakingPool/AbsBoldStakingPool.sol#L41-L54

Vulnerability details

Impact

Stakers to a pool are not treated equally when their edge gets slashed. Some will be able to receive the full amount they deposited, while others receive nothing

Proof of Concept

EdgeStakingPool and AssertionStakingPool inherit AbsBoldStakingPool. They allow users to pool resources together to make assertions and edges. Looking at AbsBoldStakingPool#withdrawFromPool, we can see that depositors are allowed to withdraw the full amount they deposited, even though the edge they staked on got slashed:

    function withdrawFromPool(uint256 amount) public {
        if (amount == 0) {
            revert ZeroAmount();
        }
        uint256 balance = depositBalance[msg.sender];
        if (amount > balance) {
            revert AmountExceedsBalance(msg.sender, amount, balance);
        }

        depositBalance[msg.sender] = balance - amount;
        IERC20(stakeToken).safeTransfer(msg.sender, amount);//@audit-info some depositors will be cheated if edge or assertion(?) gets slashed

        emit StakeWithdrawn(msg.sender, amount);
    }

So let's say 10 people contribute $10 each to an EdgeStakingPool, and the stake required to make an edge is $50. If the edge they mad gets invalidated, 5 users will be able to withdraw their full $10, while the other 5 get nothing.

Tools Used

Manual Review

Recommended Mitigation Steps

Losses from losing an assertion or edge should be socialized among all depositors to a pool. StakingPool should employ shares mechanism, where each depositor will be able to withdraw their share of the total value of the pool.

Assessed type

Error

[gzeoneth]

Invalid. Expected behavior. Pooling is assumed to be exact and slash are 100%.

[c4-judge]

Picodes marked the issue as unsatisfactory: Insufficient proof