Closed howlbot-integration[bot] closed 2 months ago
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as duplicate of #17
MiloTruck marked the issue as satisfactory
MiloTruck marked the issue as duplicate of #7
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as duplicate of #17
MiloTruck removed the grade
MiloTruck marked the issue as satisfactory
MiloTruck marked the issue as unsatisfactory: Invalid
MiloTruck removed the grade
MiloTruck marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/SlasherLib.sol#L79-L92
Vulnerability details
Summary
MAX_SLASHING_PERCENT_WAD can be exceeded if a NativeNode balance goes down due to withdrawn rewards from staking on the beacon chain. It is possible that the Veto committee won't be able to avoid it. This would also happen every time a slashing request is done with the maximum allowed percentage and the balance drops.
Vulnerability Details
fetchEarmarkedStakes in SlasherLib.sol is called when requesting a slash, and we have to wait 2 days after that until the finalizeSlashing() in Core.sol could be called.
But if in the next 2 days the total assets of the NativeVault have gone down due to awards withdrawn or validators opting out, the slash request that has been submitted by the DSS could end up overriding the MAX_SLASHING_PERCENT_WAD and slashing a higher percentage of the total assets, as the finalizeSlashing in SlasherLib.sol doesn't currently validate the balance and just slashes the amount from the slashing request:
Concept Scenario:
If the initial value of a vault is 3200 ETH (i.e., 100 validators) with a slashing limit of 20% (640 ETH), and if the DSS enforces the maximum slashing percentage, several issues could arise if at least one validator withdraws their stake before the slashing is finalized:
This scenario is likely if the withdrawal request precedes the slashing request, given the 9-day withdrawal window. It could be worsened by multiple withdrawals or other reductions in the vault’s balance, such as slashing from the beacon chain, being finalised within the 2-day
SLASHING_VETO_WINDOW
.This issue would consistently occur whenever the DSS opts for maximum slashing and the vault’s balance decreases thereafter. Its also possible if the slashing % is close to the maximum, or if the balance drops by a lot.
The Veto Committee might cancel a slashing request, but this only postpones the inevitable if the vault's balance remains unstable. Moreover, if the DSS insists on maximum slashing, the Veto Committee’s influence is limited, as the only solution would be the DSS itself to NOT slash the max %, which will resulting in over-slashing due to subsequent balance reductions.
Tools Used
Manual review
Recommendations
When finalizing the slashing request and performing the slash for the NativeVault, ensure that the total assets to be slashed do not exceed the MAX_SLASHING_PERCENT_WAD. If they do, simply adjust the amount to match the MAX_SLASHING_PERCENT_WAD.
Assessed type
Context