search

code-423n4 / 2024-07-karak-validation

0 stars 0 forks source link

can not slash token that revert on transfer to zero address #327

Closed c4-bot-10 closed 2 months ago

c4-bot-10 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/main/src/SlashingHandler.sol#L52-#L59

Vulnerability details

Vulnerability details

From contest page, it can be seen that token that revert on transfer to the zero address is in scope:

img

In the normal vault, to slash asset, function slashAssets() need to be called:

function slashAssets(uint256 totalAssetsToSlash, address slashingHandler) external onlyCore returns (uint256 transferAmount)
{
    transferAmount = Math.min(totalAssets(), totalAssetsToSlash);

    // Approve to the handler and then call the handler which will draw the funds
    SafeTransferLib.safeApproveWithRetry(asset(), slashingHandler, transferAmount);
    ISlashingHandler(slashingHandler).handleSlashing(IERC20(asset()), transferAmount);   // <--

    emit Slashed(transferAmount);
}

handleSlashing() function:

function handleSlashing(IERC20 token, uint256 amount) external {
    if (amount == 0) revert ZeroAmount();
    if (!_config().supportedAssets[token]) revert UnsupportedAsset();

    SafeTransferLib.safeTransferFrom(address(token), msg.sender, address(this), amount);
    // Below is where custom logic for each asset lives
    SafeTransferLib.safeTransfer(address(token), address(0), amount);   // <---
}

In handleSlashing() function, to finish slashing, token will be transfered to address(0). It will revert when token is revert on transfer to zero address, lead to vault cant be slashed.

Impact

Can not slash tokens that revert on transfer to 0 address.

Tools Used

Manual review

Recommended Mitigation Steps

Slashed asset should be transfered to custom address that different from 0 address.

Assessed type

Other