operator can customizes the slashStore address when create new vault, it results in slashAssets always reverting , if the slashStore address is different with slashingHandler.
Proof of Concept
DSSs have the right to slash vaults staked to it if it feels that an operator had failed to perform its tasks adequately.
From the NativeVault.sol::slashAssets
there is a slashingHandler != self.slashStore check.
The slashingHandler is comes from assetSlashingHandlers setting. It's a mapping data structure, where each asset corresponds to a specific slashingHandler address. MANAGER_ROLE in core.sol can set above mapping via Core.sol::allowlistAssets
If those two address is not the same slashAssets will always revert.
test:
function testOperatorCreateCustomAvoidSlashRequest() public {
// Setup NativeNode implementation
address nativeNodeImpl = address(new NativeNode());
//operator can specific a slashStore address.
address slashStoreRandom = makeAddr('randomAddress');
// Deploy Vaults
VaultLib.Config[] memory vaultConfigs = new VaultLib.Config[](1);
vaultConfigs[0] = VaultLib.Config({
asset: Constants.DEAD_BEEF,
decimals: 18,
operator: operator,
name: "NativeTestVault",
symbol: "NTV",
extraData: abi.encode(address(manager), slashStoreRandom, address(nativeNodeImpl))
});
vm.prank(operator);
IKarakBaseVault[] memory vaults = core.deployVaults(vaultConfigs, address(0));
nativeVault = NativeVault(address(vaults[0]));
//transaction revert due to slashstore address not equal.
vm.expectRevert(NotSlashStore.selector);
//use owner(core) slash assets.
vm.prank(address(core));
nativeVault.slashAssets(1,slashStore);
}
out:
[PASS] testOperatorCreateCustomAvoidSlashRequest() (gas: 1748139)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 13.10ms (1.89ms CPU time)
Ran 1 test suite in 150.85ms (13.10ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)
Tools Used
Foundry
Recommended Mitigation Steps
@@ -305,8 +305,6 @@ contract NativeVault is ERC4626, IBeacon, Pauser, INativeVault, OwnableRoles, Re
{
NativeVaultLib.Storage storage self = _state();
- if (slashingHandler != self.slashStore) revert NotSlashStore();
-
// avoid negative totalAssets if slashing amount is greater than totalAssets
if (totalAssetsToSlash > self.totalAssets) {
totalAssetsToSlash = self.totalAssets;
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/NativeVault.sol#L75 https://github.com/code-423n4/2024-07-karak/blob/main/src/entities/CoreLib.sol#L89-L116
Vulnerability details
Impact
operator can customizes the
slashStore
address when create new vault, it results in slashAssets always reverting , if theslashStore
address is different withslashingHandler
.Proof of Concept
DSSs have the right to slash vaults staked to it if it feels that an operator had failed to perform its tasks adequately. From the NativeVault.sol::slashAssets
there is a
slashingHandler != self.slashStore
check.The
slashingHandler
is comes fromassetSlashingHandlers
setting. It's a mapping data structure, where each asset corresponds to a specific slashingHandler address.MANAGER_ROLE
in core.sol can set above mapping via Core.sol::allowlistAssetsWhile the
slashStore
is an operator custom address pass in via extraData when creating new vault CoreLib.sol::createVaultNativeVault.sol::initialize
If those two address is not the same
slashAssets
will always revert.test:
out:
Tools Used
Foundry
Recommended Mitigation Steps
Assessed type
Invalid Validation