Closed howlbot-integration[bot] closed 2 months ago
MiloTruck marked the issue as not a duplicate
This should be a duplicate of https://github.com/code-423n4/2024-07-karak-findings/issues/49
MiloTruck changed the severity to QA (Quality Assurance)
For transparency, the judge notified C4 staff they inadvertently downgraded this issue by mistake. Reinstating medium severity.
MiloTruck marked the issue as duplicate of #49
MiloTruck marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/NativeVault.sol#L308
Vulnerability details
Bug description
When assets are allowlisted in the Core, it's assigned a slashingHandler.
CoreLib.sol#L73
When NativeVault is being initialized, the slashStore is stored in storage.
NativeVault.sol#L75
When slashing is being finalized,
Vault.slashAssets()
is called with slashingHandler as one of the parameters. More specifically, the parameter is retrieved from theassetSlashingHandlers
mapping of the Core contract.SlasherLib.sol#L135-L138
In the
NativeVault::slashAssets()
exists a check that ensures thatslashStore
of the NativeVault is equal to theslashingHandler
of the underlying asset.NativeVault.sol#L308
If after a vault was deployed with the correct slashStore, the slashingHandler is changed for ETH as an underlying asset, the slashing won't work for such vaults.
Impact
DoS of slashing.
Recommended Mitigation
Allow the manager to change the slashStore of the NativeVault.
Assessed type
Other