search

code-423n4 / 2024-09-karak-mitigation-findings

0 stars 0 forks source link

H-04 Unmitigated #26

Closed c4-bot-9 closed 2 months ago

c4-bot-9 commented 2 months ago

Lines of code

https://github.com/karak-network/karak-restaking/tree/v2/src/entities/SlasherLib.sol#L116-L150

Vulnerability details

Impact

Operators can avoid slashing.

Proof of Concept

As you can see from lines 126 to 131, the SlasherLib.finalizeSlashing() function skips unstaked vaults. Operators can exploit this to avoid slashing.

    function finalizeSlashing(CoreLib.Storage storage self, QueuedSlashing memory queuedSlashing) internal {
        ...

        for (uint256 i = 0; i < queuedSlashing.vaults.length; i++) {
            if (
126             !self.operatorState[queuedSlashing.operator].isVaultStakedToDSS(
                    queuedSlashing.dss, queuedSlashing.vaults[i]
                )
            ) {
                emit SkippedSlashing(queuedSlashing.vaults[i]);
131             continue;
            }
            ...

Let's consider the following scenario:

  1. The operator calls the Core.requestUpdateVaultStakeInDSS() function to unstake Vault 1 from DSS, initiating the 9-day MIN_STAKE_UPDATE_DELAY.
  2. After 8 days, the DSS calls the Core.requestSlashing() function on the operator’s Vault 1, starting the 2-day SLASHING_VETO_WINDOW.
  3. After 1 day, the operator calls the Core.finalizeUpdateVaultStakeInDSS() function to complete the unstaking of Vault 1 from DSS.
  4. After another day, the DSS (or anyone) calls the Core.finalizeSlashing() function to finalize the slashing of the operator's Vault 1.

However, the slashing will skip Vault 1 since the vault has already been unstaked from the DSS.

Tools Used

Manual review

Recommended Mitigation Steps

It is recommended to disallow unstaking vaults that have a pending slashing.

Assessed type

Other

MiloTruck commented 2 months ago

Will let the sponsor take a look too, but I believe this is intended.

Only vaults within SLASHING_WINDOW should be slashable (ie. the first 7 days). Once SLASHING_WINDOW has passed, they shouldn't be slashed anymore.

Additionally, this is case of a mitigation causing a separate H/M issue and should be submitted as a new finding. H-04 has been mitigated.

c4-judge commented 2 months ago

MiloTruck marked the issue as new finding

c4-judge commented 2 months ago

MiloTruck marked the issue as unsatisfactory: Invalid

c4-judge commented 2 months ago

MiloTruck removed the grade

c4-judge commented 2 months ago

MiloTruck marked the issue as unmitigated

c4-judge commented 2 months ago

MiloTruck marked the issue as nullified

c4-judge commented 2 months ago

MiloTruck marked the issue as new finding

c4-judge commented 2 months ago

MiloTruck marked the issue as not nullified

c4-judge commented 2 months ago

MiloTruck marked the issue as unsatisfactory: Invalid