Token will be transfered to startedWithdrawal.beneficiary address. The problem is when vault is slashed, token will be transfered outside of vault:
function slashAssets(uint256 totalAssetsToSlash, address slashingHandler) //@audit race condition neu bi slash
external
onlyCore
returns (uint256 transferAmount)
{
transferAmount = Math.min(totalAssets(), totalAssetsToSlash);
// Approve to the handler and then call the handler which will draw the funds
SafeTransferLib.safeApproveWithRetry(asset(), slashingHandler, transferAmount);
ISlashingHandler(slashingHandler).handleSlashing(IERC20(asset()), transferAmount); // <---
emit Slashed(transferAmount);
}
handleSlashing() function:
function handleSlashing(IERC20 token, uint256 amount) external {
if (amount == 0) revert ZeroAmount();
if (!_config().supportedAssets[token]) revert UnsupportedAsset();
SafeTransferLib.safeTransferFrom(address(token), msg.sender, address(this), amount);
// Below is where custom logic for each asset lives
SafeTransferLib.safeTransfer(address(token), address(0), amount); // <-- token transfered to address(0)
}
When slash is happened between start redeem and finish redeem (which is possible, because MIN_WITHDRAWAL_DELAY = SLASHING_WINDOW + SLASHING_VETO_WINDOW), token can be not enough for user to call finishRedeem() function. Along with share is already transfered to vault, and receive token amount is calculated when start redeem, user's token will be stucked in the vault
Impact
User's token can be stucked in the vault because of slashing.
Tools Used
Manual review.
Recommended Mitigation Steps
Allow user cancel withdrawal period, and transfer share back for user.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/Vault.sol#L125-#L149 https://github.com/code-423n4/2024-07-karak/blob/main/src/Vault.sol#L157-#L188
Vulnerability details
Vulnerability details
In vault, to start withdrawal, user need to call
startRedeem()
function:And wait until withdrawal finish, then call
finishRedeem()
function:Token will be transfered to
startedWithdrawal.beneficiary
address. The problem is when vault is slashed, token will be transfered outside of vault:handleSlashing()
function:When slash is happened between start redeem and finish redeem (which is possible, because
MIN_WITHDRAWAL_DELAY = SLASHING_WINDOW + SLASHING_VETO_WINDOW
), token can be not enough for user to callfinishRedeem()
function. Along with share is already transfered to vault, and receive token amount is calculated when start redeem, user's token will be stucked in the vaultImpact
User's token can be stucked in the vault because of slashing.
Tools Used
Manual review.
Recommended Mitigation Steps
Allow user cancel withdrawal period, and transfer share back for user.
Assessed type
Context