search

code-423n4 / 2024-07-karak-validation

0 stars 0 forks source link

Validators can prevent the slash store from receiving slashed funds #230

Closed c4-bot-6 closed 2 months ago

c4-bot-6 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/NativeVault.sol#L277

Vulnerability details

Impact

Currently, validators are able to prevent the slash store from receiving any of their slashed funds by finishing their withdrawals before their assets are reduced by the slashing event.

Even though they would still lose the assets that have been slashed, they can prevent the slash store from ever receiving them.

Proof of Concept

To explain how the exploit may be performed I will showcase a possible scenario:

1/ A validator has 32 ETH in their Native Node and 32 ETH in the Beacon Chain

2/ They initiate a withdrawal of 32 ETH

3/ Before the withdrawal has been finalized a slashing event occurs, slashing 50% of all assets

4/ The validator's balance is yet to be affected by the slashing as they have a running snapshot that started before the slashing event (it needs to end for validateExpiredSnapshot to not revert)

5/ As the validator's withdrawableCreditedNodeETH has not been reduced by the slashing, they can finalize the withdrawal, receiving 32 ETH. They can withdraw 32 ETH because withdrawableCreditedNodeETH has not changed and convertToAssets(balanceOf(validator)) will also return 32 ETH (50% of 64 ETH)

6/ The other 32 ETH, which should be slashed, will remain in the Beacon Chain and the Slash Store will be unable to ever retrieve them

7/ The validator has no incentive to withdraw them from the Beacon Chain as they will get slashed

8/ To add to that the validator continues to earn rewards on the slashed 32 ETH that should not belong to them

As a result, a validator is able to prevent the Slash Store from receiving the slashed funds, while earning rewards unfairly on funds that should not be in their possesion.

Tools Used

Manual review

Recommended Mitigation Steps

In finalizeWithdraw slashed funds should be taken out of the withdrawer's balance before they are allowed to withdraw their funds.

Assessed type

Other

trachevgeorgi commented 2 months ago

This issue has been incorrectly excluded. As I have explained in the report, validators are able to prevent slashed funds from being transferred to the slash store, which has the same effect as [M-01] The User can deny paying slashed tokens from the Karak security review by Pashov Audit Group. Due to the essential similarity between the impacts of the issues, I believe the report should be valid.

MiloTruck commented 1 month ago

From the sponsor:

I don't see it as a problem in this scenario because the beacon chain will continuously be sweeping funds to the node which will slowly move to the slash store as and when the user starts new snapshots. And they will have an incentive to start new snapshots to increase their restaked eth coming from beacon chain yields. So the slash store might not immediately get all the funds but eventually it will.

There's no requirement for the slash store to get its funds within a certain time period - as long as it receives the funds eventually, there is no issue.

Additionally, the user does not gain any additional rewards as the yield from his validator will always be transferred to the slash store until his "debt" is repaid.