All assets which are meant to be slashed by DSS can be misused by the rogue or compromised Manager. In addition, attacker which has previously compromised Manager EOA and has this capability can use intentionally to break security rules/invariants of particular DSS.
Proof of Concept
In SlasherLib.finalizeSlashing() slashingHandler for particular asset is dynamically retrieved and passed to Vault.slashAssets() function. Vault fully trusts provided slashingHandler contract and approves for transfer designated amount meant to be slashed.
However, account with Manager role, which can be EOA as stated by the client, may change at any point slashingHandler for any asset through Core.allowlistAssets() and CoreLib.allowlistAssets(). As a result, compromised Manager EOA may update trusted slashingHandler implementation for popular asset with contract which would drain and redirect assets meant to be slashed. In addition, attacker (compromised manager) may trigger this operation by directly calling Core.finalizeSlashing()
Tools Used
Manual review
Recommended Mitigation Steps
Do not allow slashing handler to be changed, or enforce timelocked updates for any slashing handler change.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L85
Vulnerability details
Impact
All assets which are meant to be slashed by DSS can be misused by the rogue or compromised Manager. In addition, attacker which has previously compromised Manager EOA and has this capability can use intentionally to break security rules/invariants of particular DSS.
Proof of Concept
In SlasherLib.finalizeSlashing() slashingHandler for particular asset is dynamically retrieved and passed to Vault.slashAssets() function. Vault fully trusts provided slashingHandler contract and approves for transfer designated amount meant to be slashed.
However, account with Manager role, which can be EOA as stated by the client, may change at any point slashingHandler for any asset through Core.allowlistAssets() and CoreLib.allowlistAssets(). As a result, compromised Manager EOA may update trusted slashingHandler implementation for popular asset with contract which would drain and redirect assets meant to be slashed. In addition, attacker (compromised manager) may trigger this operation by directly calling Core.finalizeSlashing()
Tools Used
Manual review
Recommended Mitigation Steps
Assessed type
Access Control