c4-judge
commented
2 months ago MiloTruck marked the issue as not a duplicate
Closed howlbot-integration[bot] closed 2 months ago
c4-judge
commented
2 months ago MiloTruck marked the issue as not a duplicate
MiloTruck
commented
2 months ago This should be a duplicate of https://github.com/code-423n4/2024-07-karak-findings/issues/49
c4-judge
commented
2 months ago MiloTruck changed the severity to QA (Quality Assurance)
thebrittfactor
commented
2 months ago For transparency, the judge notified C4 staff they inadvertently downgraded this issue by mistake. Reinstating medium severity.
c4-judge
commented
2 months ago MiloTruck marked the issue as duplicate of #49
c4-judge
commented
2 months ago MiloTruck marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/NativeVault.sol#L308
Vulnerability details
Bug description
When assets are allowlisted in the Core, it's assigned a slashingHandler.
CoreLib.sol#L73
When NativeVault is being initialized, the slashStore is stored in storage.
NativeVault.sol#L75
When slashing is being finalized,
Vault.slashAssets()is called with slashingHandler as one of the parameters. More specifically, the parameter is retrieved from theassetSlashingHandlersmapping of the Core contract.SlasherLib.sol#L135-L138
In the
NativeVault::slashAssets()exists a check that ensures thatslashStoreof the NativeVault is equal to theslashingHandlerof the underlying asset.NativeVault.sol#L308
If after a vault was deployed with the correct slashStore, the slashingHandler is changed for ETH as an underlying asset, the slashing won't work for such vaults.
Impact
DoS of slashing.
Recommended Mitigation
Allow the manager to change the slashStore of the NativeVault.
Assessed type
Other