search

code-423n4 / 2024-09-karak-mitigation-findings

0 stars 0 forks source link

ADD-02 MitigationConfirmed #20

Open c4-bot-1 opened 2 months ago

c4-bot-1 commented 2 months ago

Lines of code

Vulnerability details

Lines of code

Vulnerability details

C4 Issue:

N/A

Comments

In the previous implementation when validating withdrawal credentials of a BeaconChain validator, the timestamp of the proof provided was used to set validatorDetails.lastBalanceUpdateTimestamp.

NativeVault.sol#L195-L201

totalRestakedWei += self.validateWithdrawalCredentials(
    nodeOwner,
    // @audit-info timestamp of the proof
    beaconStateRootProof.timestamp,
    beaconStateRootProof.beaconStateRoot,
    validatorFieldsProofs[i]
);

NativeVaultLib.sol#L179

function validateWithdrawalCredentials(
    Storage storage self,
    address nodeOwner,
    uint64 updateTimestamp,
    bytes32 beaconStateRoot,
    BeaconProofs.ValidatorFieldsProof calldata validatorFieldsProof
) internal returns (uint256) {
validatorDetails.lastBalanceUpdateTimestamp = updateTimestamp;

As stated by the sponsor, the mitigation purpose was to simplify the logic and remove updateTimestamp coming from the beacon state root proof as well as to keep the source of truth always as snapshot timestamp.

Mitigation

FIX Now the lastBalanceUpdateTimestamp of the validator is either set to the timestamp of the last snapshot or the timestamp of the current snapshot, given there is an ongoing snapshot taking place. The mitigation simplifies the logic of the withdrawal credential validation process, making snapshot timestamps as the only source of truth.

Conclusion

LGTM

c4-judge commented 2 months ago

MiloTruck marked the issue as satisfactory

c4-judge commented 2 months ago

MiloTruck marked the issue as confirmed for report