A Native Node should have one or more validators added via the validateWithdrawalCredentials(...) function, a NativeVault function that ensures the validator’s withdrawal credentials point to the owner’s NativeNode. Validators play a vital role as all Ethereum yields from the validators accrue to the NativeNode, awarding shares to the owner. These shares are then delegated to the Operator of the NativeVault and are subject to slashing. The number of snapshots required to update the balance of the NativeNode is also proportional to the number of validators.
However, the current implementation of the Karak protocol allows anyone to call validateWithdrawalCredentials(...) and add any validator to the NativeVault without the owner's consent. This vulnerability permits an attacker to add malicious validators to the NativeVault, potentially leading to the loss of the owner’s funds and compromising the intevalidatorsgrity of the NativeNode. Additionally, the protocol lacks a mechanism to remove a validator from the NativeVault.
While NativeVault updates the node owner's shares based on the balance changes on their NativeNode and the beacon chain balance of the validators, which in turn changes the amount the node owner has staked into an Operator, affecting the rewards given to them, it's essential to ensure that the owner has full control over the validators added to their NativeVault.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/ab18e1f6c03e118158369527baa2487b2b4616b1/src/NativeVault.sol#L168
Vulnerability details
Impact
A Native Node should have one or more validators added via the
validateWithdrawalCredentials(...)
function, a NativeVault function that ensures the validator’s withdrawal credentials point to the owner’s NativeNode. Validators play a vital role as all Ethereum yields from the validators accrue to the NativeNode, awarding shares to the owner. These shares are then delegated to the Operator of the NativeVault and are subject to slashing. The number of snapshots required to update the balance of the NativeNode is also proportional to the number of validators.However, the current implementation of the Karak protocol allows anyone to call
validateWithdrawalCredentials(...)
and add any validator to the NativeVault without the owner's consent. This vulnerability permits an attacker to add malicious validators to the NativeVault, potentially leading to the loss of the owner’s funds and compromising the intevalidatorsgrity of the NativeNode. Additionally, the protocol lacks a mechanism to remove a validator from the NativeVault. While NativeVault updates the node owner's shares based on the balance changes on their NativeNode and the beacon chain balance of the validators, which in turn changes the amount the node owner has staked into an Operator, affecting the rewards given to them, it's essential to ensure that the owner has full control over the validators added to their NativeVault.Proof of Concept
Tools Used
Recommended Mitigation Steps
Assessed type
Access Control