The NativeVault contract's snapshot process is vulnerable to a front-running attack that could be exploited by a malicious node owner. This vulnerability stems from the ability of any node owner to initiate a snapshot and the subsequent ability for anyone to submit validator proofs for that snapshot. This will lead to a myriad of issues like denial of service and griefing attacks.
Details
Attack Vector
A malicious node owner can affect pending snapshots of other users through the following mechanism:
Monitor the mempool for startSnapshot transactions from other node owners.
Front-run these transactions with their own startSnapshot call.
Quickly follow up with validateSnapshotProofs calls using manipulated proofs.
Impact
Snapshot Overwriting:
When a malicious actor front-runs a legitimate startSnapshot call, it overwrites the currentSnapshotTimestamp and currentSnapshot in the contract's state.
This effectively cancels the pending snapshot of the legitimate user, as the contract now considers the malicious actor's snapshot as the current one.
Proof Invalidation Dos:
The validateSnapshotProofs function checks against the currentSnapshotTimestamp:
if (validatorDetails.lastBalanceUpdateTimestamp >= node.currentSnapshotTimestamp) {
revert ValidatorAlreadyProved();
}
By setting a new currentSnapshotTimestamp, the attacker invalidates any proofs that legitimate users were preparing to submit for their own snapshots.
Balance Update Manipulation:
The attacker can submit manipulated proofs that misrepresent the balance changes of validators.
This affects the snapshot.balanceDeltaWei calculation, which directly impacts the balance updates for all users.
Griefing through Delayed Balance Updates:
Legitimate users whose snapshots are overwritten will have to wait and attempt to start a new snapshot later.
This delay could prevent timely recognition of balance changes, potentially leading to:
Delayed reward distributions
Inaccurate representation of user stakes
Misalignment with actual validator performances on the beacon chain
Incorrect Balance Calculations:
If the attacker successfully submits manipulated proofs, it could lead to:
Overstating of the attacker's balance increases
Understating of the attacker's balance decreases
Potential understating of other users' balance increases
Possible overstating of other users' balance decreases
Economic Losses:
Users might miss out on timely withdrawal opportunities due to understated balances.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/NativeVault.sol#L112
Vulnerability details
Intro
The NativeVault contract's snapshot process is vulnerable to a front-running attack that could be exploited by a malicious node owner. This vulnerability stems from the ability of any node owner to initiate a snapshot and the subsequent ability for anyone to submit validator proofs for that snapshot. This will lead to a myriad of issues like denial of service and griefing attacks.
Details
Attack Vector
A malicious node owner can affect pending snapshots of other users through the following mechanism:
startSnapshot
transactions from other node owners.startSnapshot
call.validateSnapshotProofs
calls using manipulated proofs.Impact
Snapshot Overwriting:
startSnapshot
call, it overwrites thecurrentSnapshotTimestamp
andcurrentSnapshot
in the contract's state.Proof Invalidation Dos:
validateSnapshotProofs
function checks against thecurrentSnapshotTimestamp
:currentSnapshotTimestamp
, the attacker invalidates any proofs that legitimate users were preparing to submit for their own snapshots.Balance Update Manipulation:
snapshot.balanceDeltaWei
calculation, which directly impacts the balance updates for all users.Griefing through Delayed Balance Updates:
Legitimate users whose snapshots are overwritten will have to wait and attempt to start a new snapshot later.
This delay could prevent timely recognition of balance changes, potentially leading to:
Incorrect Balance Calculations:
Economic Losses:
Code Sections
https://github.com/code-423n4/2024-07-karak/blob/main/src/NativeVault.sol#L112
Recommendations
Assessed type
Other