From contest page, it can be seen that token that revert on transfer to the zero address is in scope:
In the normal vault, to slash asset, function slashAssets() need to be called:
function slashAssets(uint256 totalAssetsToSlash, address slashingHandler) external onlyCore returns (uint256 transferAmount)
{
transferAmount = Math.min(totalAssets(), totalAssetsToSlash);
// Approve to the handler and then call the handler which will draw the funds
SafeTransferLib.safeApproveWithRetry(asset(), slashingHandler, transferAmount);
ISlashingHandler(slashingHandler).handleSlashing(IERC20(asset()), transferAmount); // <--
emit Slashed(transferAmount);
}
handleSlashing() function:
function handleSlashing(IERC20 token, uint256 amount) external {
if (amount == 0) revert ZeroAmount();
if (!_config().supportedAssets[token]) revert UnsupportedAsset();
SafeTransferLib.safeTransferFrom(address(token), msg.sender, address(this), amount);
// Below is where custom logic for each asset lives
SafeTransferLib.safeTransfer(address(token), address(0), amount); // <---
}
In handleSlashing() function, to finish slashing, token will be transfered to address(0). It will revert when token is revert on transfer to zero address, lead to vault cant be slashed.
Impact
Can not slash tokens that revert on transfer to 0 address.
Tools Used
Manual review
Recommended Mitigation Steps
Slashed asset should be transfered to custom address that different from 0 address.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/SlashingHandler.sol#L52-#L59
Vulnerability details
Vulnerability details
From contest page, it can be seen that token that revert on transfer to the zero address is in scope:
In the normal vault, to slash asset, function
slashAssets()
need to be called:handleSlashing()
function:In
handleSlashing()
function, to finish slashing, token will be transfered to address(0). It will revert when token is revert on transfer to zero address, lead to vault cant be slashed.Impact
Can not slash tokens that revert on transfer to 0 address.
Tools Used
Manual review
Recommended Mitigation Steps
Slashed asset should be transfered to custom address that different from 0 address.
Assessed type
Other