Open c4-bot-4 opened 2 months ago
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as duplicate of #17
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as primary issue
MiloTruck marked the issue as satisfactory
MiloTruck marked the issue as selected for report
The warden has demonstrated how if a vault's totalAssets
decreases to 0
while a slash is pending, it will be impossible to finalizeSlashing()
for that slash request.
As such, I believe medium severity is appropriate.
MiloTruck marked the issue as unsatisfactory: Invalid
Hey @MiloTruck,
Can you take another look at this? The report shows a scenario where a vault could be empty after a slash request due to either a full withdrawal or a full slash. While these cases are unlikely, they are possible—especially for newer vaults with fewer funds, and setting a slash rate to 100% is also valid. In this situation, a single vault reverting could impact multiple other vaults by blocking the full slash.
Thanks.
Seems like I marked this as unsatisfactory by mistake.
MiloTruck marked the issue as satisfactory
MiloTruck marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L220 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Vault.sol#L193 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/SlashingHandler.sol#L52
Vulnerability details
Vulnerability Details:
The requestSlashing function allows a slashing to be requested for a given operator’s deployed vaults staked to the DSS. The slashing request must pass the SLASHING_VETO_WINDOW (2 days) before it can be confirmed, allowing the veto committee to cancel any unfair queued slashing.
This time gap can create situations where the requested slashed amount is no longer possible, as the contract might have had previous withdrawals or been slashed by other DSS’s in that time, reducing its overall balance. The slashAssets function in the vault contract handles this by taking the minimum of the requested slashed amount and the contract balance.
However, if the total assets in the contract are zero, the transferAmount will be zero. When this zero value is passed to the handleSlashing function, it will revert due to a check that ensures the amount is not zero.
As a result, if this slashing reverts and since a slash request can include multiple slashes for different vaults, the entire transaction will revert, blocking other vault slashes as well.
Impact:
If the slashAssets function encounters this scenario while attempting to slash assets, it will cause the entire transaction to revert. This will block other slashing requests within the same transaction and lead to additional logical issues as described above.
Proof Of Concept:
Tools Used:
Recommendation:
The slashAssets function in the vault contract should only approve and call handleSlashing if transferAmount is greater than zero. This way, the function will not revert, and other slashes will go through.
Assessed type
Invalid Validation