Closed c4-bot-6 closed 2 months ago
This issue has been incorrectly excluded. As I have explained in the report, validators are able to prevent slashed funds from being transferred to the slash store, which has the same effect as [M-01] The User can deny paying slashed tokens
from the Karak security review by Pashov Audit Group. Due to the essential similarity between the impacts of the issues, I believe the report should be valid.
From the sponsor:
I don't see it as a problem in this scenario because the beacon chain will continuously be sweeping funds to the node which will slowly move to the slash store as and when the user starts new snapshots. And they will have an incentive to start new snapshots to increase their restaked eth coming from beacon chain yields. So the slash store might not immediately get all the funds but eventually it will.
There's no requirement for the slash store to get its funds within a certain time period - as long as it receives the funds eventually, there is no issue.
Additionally, the user does not gain any additional rewards as the yield from his validator will always be transferred to the slash store until his "debt" is repaid.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/NativeVault.sol#L277
Vulnerability details
Impact
Currently, validators are able to prevent the slash store from receiving any of their slashed funds by finishing their withdrawals before their assets are reduced by the slashing event.
Even though they would still lose the assets that have been slashed, they can prevent the slash store from ever receiving them.
Proof of Concept
To explain how the exploit may be performed I will showcase a possible scenario:
1/ A validator has 32 ETH in their Native Node and 32 ETH in the Beacon Chain
2/ They initiate a withdrawal of 32 ETH
3/ Before the withdrawal has been finalized a slashing event occurs, slashing 50% of all assets
4/ The validator's balance is yet to be affected by the slashing as they have a running snapshot that started before the slashing event (it needs to end for
validateExpiredSnapshot
to not revert)5/ As the validator's
withdrawableCreditedNodeETH
has not been reduced by the slashing, they can finalize the withdrawal, receiving 32 ETH. They can withdraw 32 ETH becausewithdrawableCreditedNodeETH
has not changed andconvertToAssets(balanceOf(validator))
will also return 32 ETH (50% of 64 ETH)6/ The other 32 ETH, which should be slashed, will remain in the Beacon Chain and the Slash Store will be unable to ever retrieve them
7/ The validator has no incentive to withdraw them from the Beacon Chain as they will get slashed
8/ To add to that the validator continues to earn rewards on the slashed 32 ETH that should not belong to them
As a result, a validator is able to prevent the Slash Store from receiving the slashed funds, while earning rewards unfairly on funds that should not be in their possesion.
Tools Used
Manual review
Recommended Mitigation Steps
In
finalizeWithdraw
slashed funds should be taken out of the withdrawer's balance before they are allowed to withdraw their funds.Assessed type
Other