The cancelSlashing function should reset all the variables modified by the requestSlashing function, so everything goes back to normal after canceling a slash event.
Proof of Concept
When a DSS requests a Slashing by calling the requestSlashing function in the core, this request is registered in the system updating the slashingRequests and the nextSlashableTimestamp mappings with their respective information for the request.
Once any request is registered the vetto committed can decide to cancel a slashing request for different reasons, so they can call the cancelSlashing function to do this, this function is in charge of canceling the slashing request and resetting all the variables back to normal, this function reset correctly the slashingRequests mapping, but it fails to reset the value of the nextSlashableTimestamp mapping, this will effectively block another slashing request for the SLASHING_COOLDOWN time (2 days).
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/SlasherLib.sol#L94-L124 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/SlasherLib.sol#L153-L168
Vulnerability details
Impact
The
cancelSlashing
function should reset all the variables modified by therequestSlashing
function, so everything goes back to normal after canceling a slash event.Proof of Concept
When a DSS requests a Slashing by calling the
requestSlashing
function in the core, this request is registered in the system updating theslashingRequests
and thenextSlashableTimestamp
mappings with their respective information for the request.Once any request is registered the vetto committed can decide to cancel a slashing request for different reasons, so they can call the
cancelSlashing
function to do this, this function is in charge of canceling the slashing request and resetting all the variables back to normal, this function reset correctly theslashingRequests
mapping, but it fails to reset the value of thenextSlashableTimestamp
mapping, this will effectively block another slashing request for theSLASHING_COOLDOWN
time (2 days).Tools Used
Manual Review
Recommended Mitigation Steps
Consider also to reset the
nextSlashableTimestamp
mapping in thecancelSlashing
function.Assessed type
Other