search

code-423n4 / 2024-07-karak-validation

0 stars 0 forks source link

The `cancelSlashing` function should reset all the variables modified by the `requestSlashing` function #350

Closed c4-bot-8 closed 2 months ago

c4-bot-8 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/SlasherLib.sol#L94-L124 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/SlasherLib.sol#L153-L168

Vulnerability details

Impact

The cancelSlashing function should reset all the variables modified by the requestSlashing function, so everything goes back to normal after canceling a slash event.

Proof of Concept

When a DSS requests a Slashing by calling the requestSlashing function in the core, this request is registered in the system updating the slashingRequests and the nextSlashableTimestamp mappings with their respective information for the request.

function requestSlashing(//...) external returns (QueuedSlashing memory queuedSlashing) 
{
        //...
        uint256[] memory earmarkedStakes = fetchEarmarkedStakes(slashingMetadata);
        queuedSlashing = QueuedSlashing({
            dss: dss,
            timestamp: uint96(block.timestamp),
            operator: slashingMetadata.operator,
            vaults: slashingMetadata.vaults,
            earmarkedStakes: earmarkedStakes,
            nonce: nonce
        });
        self.slashingRequests[calculateRoot(queuedSlashing)] = true;
        self.operatorState[slashingMetadata.operator].nextSlashableTimestamp[dss] =
            block.timestamp + Constants.SLASHING_COOLDOWN;
      //...
}

Once any request is registered the vetto committed can decide to cancel a slashing request for different reasons, so they can call the cancelSlashing function to do this, this function is in charge of canceling the slashing request and resetting all the variables back to normal, this function reset correctly the slashingRequests mapping, but it fails to reset the value of the nextSlashableTimestamp mapping, this will effectively block another slashing request for the SLASHING_COOLDOWN time (2 days).

function cancelSlashing(//...) external {
    //...

    delete self.slashingRequests[slashRoot];
    IDSS dss = queuedSlashing.dss;

    //...
}

Tools Used

Manual Review

Recommended Mitigation Steps

Consider also to reset the nextSlashableTimestamp mapping in the cancelSlashing function.

Assessed type

Other