Open howlbot-integration[bot] opened 2 months ago
We think it should be re-classified to med
because it's ultimately the DSS' responsibility to figure out which operators and vaults to take in via the registrationHook.selector
The crux of this issue and its duplicates is that for native vaults, vaultConfig.extraData
has no input validation in when calling deployVaults()
. This means the operator can set manager
, slashStore
and nodeImplementation
to anything.
This issue has demonstrated how an operator can create an unslashable vault by creating it with slashStore
as a different address than the whitelisted slashing handler for ETH. Slashing is core functionality of the protocol and being unable to do so would threaten the integrity of operators (eg. operator can act malicious, causing loss of funds, at no risk).
https://github.com/code-423n4/2024-07-karak-findings/issues/85 describes how the setting the manager will allow the operator to call restricted functions.
As such, I believe high severity is appropriate.
We think it should be re-classified to med because it's ultimately the DSS' responsibility to figure out which operators and vaults to take in via the
registrationHook.selector
Given that the DSS implementation isn't in-scope and wardens did not know what registrationHook
could/couldn't do during the contest, I don't think it is fair to downgrade the issue based on this.
MiloTruck marked the issue as satisfactory
MiloTruck marked the issue as selected for report
I believe this is a low severity issue because of two reasons:
1st, as the sponsor mentioned, it is DSS' responsibility to figure out which operators and vaults to take in. And obviously, DSS will make sure that the he can easily slash vaults/operators or not, if he doesn't it is totally his mistake.
2ndly and more importantly, even if the DSS misses to validate that and he cannot slash the operator, then its not like he is not gonna be able to do anything, He will simply jail that operator and force them to unstake.
So this issue can be easily handled by the DSS and an operator is gonna be able to avoid slashing only 1 time.
I personally think this is a QA/low severity issue, maybe a medium but def not High Severity issue.
I've already explained why I kept this as high in response to the sponsor, even though the DSS has the ability to reject operators.
Your escalation is just re-iterating whatever the sponsor said and speculating on DSS behavior.
This remains as high.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/SlasherLib.sol#L134-L138 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/NativeVault.sol#L308
Vulnerability details
Impact
An operator can create a
NativeVault
which always revert whenslashAssets()
is call and make the vault unslashable.Proof of Concept
When an operator want to create a
NativeVault
, he call thedeployVaults()
function on theCore
contract with a custom config struct to give informations for the deployment. TheextraData
params is used to give themanager
,slahsStore
andnodeImplementation
addresses on theinitialize()
function of theNativeVault
.When an asset is allowed on the protocol, a
slashingHandler
address is associated with the asset address on theassetSlashingHandlers
mapping.NativeVault
is used to make native restaking with the ETH of Beacon Chain validators of users. When a slashing is executed, the address ofassetSlashingHandlers
mapping is inserted as a params in the callslashAssets()
:Then the function make this verification with the input address of
slashingHandler
:If the operator, during the initialization, insert a
slashStore
address which is different from theassetSlashingHandlers
address for ETH, the call on theNativeVault
will always revert and make the vault slash impossible.POC
You can add this PoC to the
./test/nativeRestaking/nativeVault.t.sol
:Add also this contract for the dss on the same file :
And execute the command:
forge test --mt test_createUnslashableVault -vvvvv
Tools Used
Manual Review
Recommended Mitigation Steps
You can add a verified
slashingHandler
for ETH on theCore
contract and verify the operator use the correctslashStore
params on theinitialize()
function in theNativeVault
, or on thedeployVaults()
forNativeVault
.Assessed type
Invalid Validation