Open howlbot-integration[bot] opened 2 months ago
MiloTruck changed the severity to QA (Quality Assurance)
This action will force the node owner to spend more on gas to finalize the initial snapshot before starting and finalizing another snapshot.
This is a good find, but I don't see this issue as high or medium severity - the maximum impact here is causing users to spend more gas, which doesn't fulfil the severity categorization:
2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
3 — High: Assets can be stolen/lost/compromised directly (or indirectly if there is a valid attack path that does not have hand-wavy hypotheticals).
The function of the protocol or its availability is not impacted here as users can still start a new snapshot. Furthermore, the "DOS" can only be performed once on each native node and an attacker has no incentive to pull this off.
MiloTruck marked the issue as grade-b
@MiloTruck I think this should pass as medium for few reasons;
The likelihood of this issue is high
Disagree, there's no motivation for an attacker to perform this attack.
If a nodeOwner had plan to updat snapshot with $200 reward from beacon spending just $50, user will have to spend $100, which obviously has reduced overall profitability of the noweOwner at that point in time. Imagine have to cause 100 new node owner spend extra $50, that amount to $5,000 for no reason!
How did you arrive at $50 in gas costs? If you're trying to prove this could cause significant financial losses, please provide evidence and non-hypothetical calculations.
Think my previous comment still stands, I don't believe this meets the severity categorization for medium.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/NativeVault.sol#L218-L220
Vulnerability details
Impact
New NodeOwners can be griefed by forcing them to provide proof for an empty snapshot without any shares increase/decrease on their node
The
startSnapshot()
on a node can only be called by the owner to prevent griefing of NodeOwners, this is to give liberty to nodeOwners on when to updateSnapshot to increase or decrease vault shares.Also, to prevent NodeOwner from stalling vault share update when they have a slashed validator, they ought to reduce node shares, there is
validateExpiredSnapshot()
method that allows anyone to start a snapshot for any node that has an expired snapshot.However, due to missing zero check on
node.lastSnapshotTimestamp
, a griefer can keep callingvalidateExpiredSnapshot(address nodeOwner)
on every newly deployed node that has validated a withdrawal credential.Proof of Concept
When nodes are newly deployed, a griefer can call
validateExpiredSnapshot(address nodeOwner)
immediately after the node owner callsvalidateWithdrawalCredentials()
(to mint initial node shares) that increasesnode.activeValidatorCount
before any award share increase.This action will force the node owner to spend more on gas to finalize the initial snapshot before starting and finalizing another snapshot.
This action will force the node owner to spend more on gas to finalize the initial snapshot before starting and finalizing another snapshot.
Instance
if (node.currentSnapshotTimestamp != 0) revert PendingIncompleteSnapshot();
when node owner tries to start snapshot.validateSnapshotProofs()
to finalize snapshot for 20! validators, restart again and revalidate to update shares(to avoid losing rewards from DSS)Tools Used
Manual review
Recommended Mitigation Steps
Also, to prevent instances where node owners after increasing validator count and got minted shares stalls shares update due to slashing, initiate
node.lastSnapshotTimestamp
increateNode()
After creating a node, owners are expected to validate withdrawal credentials. Active Validators are expected to get reward credit in 5days or might have gotten slashed due to inactivity withing 7days period, so node shares should get updated!
Assessed type
Invalid Validation