Closed howlbot-integration[bot] closed 2 months ago
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as unsatisfactory: Invalid
Invalid.
There is no issue with anyone submitting proofs for other node owners; the proofs are validated against the beacon chain in validateSnapshotProofs()
and cannot be falsified.
Hi @MiloTruck ,
Thank you for your review of our report. While we appreciate your insight that proofs cannot be falsified due to validation against the beacon chain, we believe the core of our concern remains valid. Let me elaborate:
startSnapshot
function can be front-run, allowing an attacker to manipulate the order of snapshots:function startSnapshot(bool revertIfNoBalanceChange)
external
nonReentrant
nodeExists(msg.sender)
whenFunctionNotPaused(Constants.PAUSE_NATIVEVAULT_START_SNAPSHOT)
{
_startSnapshot(_state().ownerToNode[msg.sender], revertIfNoBalanceChange, msg.sender);
}
There's no protection against a malicious actor front-running this call.
_startSnapshot
function overwrites any existing snapshot without checks:function _startSnapshot(NativeVaultLib.NativeNode storage node, bool revertIfNoBalanceChange, address nodeOwner)
internal
{
if (node.currentSnapshotTimestamp != 0) revert PendingIncompleteSnapshot();
// ... (snapshot creation logic)
node.currentSnapshotTimestamp = uint64(block.timestamp);
_updateSnapshot(node, snapshot, nodeOwner);
}
validateSnapshotProofs
function allows anyone to submit proofs for any node:function validateSnapshotProofs(
address nodeOwner,
BeaconProofs.BalanceProof[] calldata balanceProofs,
BeaconProofs.BalanceContainer calldata balanceContainer
)
external
nonReentrant
nodeExists(nodeOwner)
whenFunctionNotPaused(Constants.PAUSE_NATIVEVAULT_VALIDATE_SNAPSHOT)
{
// ... (proof validation logic)
}
While proofs are validated, this still allows an attacker to control the timing of balance updates.
The attack scenario:
startSnapshot
transactions.startSnapshot
.validateSnapshotProofs
calls.PendingIncompleteSnapshot
check).Impact:
While balances can't be falsified, the ability to control snapshot timing and order is a significant vulnerability that could be exploited for various malicious purposes.
Proposed mitigations:
We believe this issue remains valid and significant, and should be at least medium severity based on impact.
Sincerely, NexusAudits
This is still invalid.
A snapshot can only be started for a node by its node owner as startSnapshot()
uses msg.sender
:
function startSnapshot(bool revertIfNoBalanceChange)
external
nonReentrant
nodeExists(msg.sender)
whenFunctionNotPaused(Constants.PAUSE_NATIVEVAULT_START_SNAPSHOT)
{
_startSnapshot(_state().ownerToNode[msg.sender], revertIfNoBalanceChange, msg.sender);
}
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/NativeVault.sol#L112
Vulnerability details
Intro
The NativeVault contract's snapshot process is vulnerable to a front-running attack that could be exploited by a malicious node owner. This vulnerability stems from the ability of any node owner to initiate a snapshot and the subsequent ability for anyone to submit validator proofs for that snapshot. This will lead to a myriad of issues like denial of service and griefing attacks.
Details
Attack Vector
A malicious node owner can affect pending snapshots of other users through the following mechanism:
startSnapshot
transactions from other node owners.startSnapshot
call.validateSnapshotProofs
calls using manipulated proofs.Impact
Snapshot Overwriting:
startSnapshot
call, it overwrites thecurrentSnapshotTimestamp
andcurrentSnapshot
in the contract's state.Proof Invalidation Dos:
validateSnapshotProofs
function checks against thecurrentSnapshotTimestamp
:currentSnapshotTimestamp
, the attacker invalidates any proofs that legitimate users were preparing to submit for their own snapshots.Balance Update Manipulation:
snapshot.balanceDeltaWei
calculation, which directly impacts the balance updates for all users.Griefing through Delayed Balance Updates:
Legitimate users whose snapshots are overwritten will have to wait and attempt to start a new snapshot later.
This delay could prevent timely recognition of balance changes, potentially leading to:
Incorrect Balance Calculations:
Economic Losses:
Code Sections
https://github.com/code-423n4/2024-07-karak/blob/main/src/NativeVault.sol#L112
Recommendations
Assessed type
Other