H-03 MitigationConfirmed

[c4-bot-5]

Lines of code

Vulnerability details

C4 issue

H-03: A DoS on snapshots due to a rounding error in calculations.

Link to issue

Comments

The original implementation did not properly handle potential integer underflows caused by rounding errors during snapshot calculations. This oversight could result in a DoS scenario, where users are unable to withdraw their funds.

Mitigation

Fix link

The mitigation addresses this issue by ensuring that the slashedAssets calculation only takes place if the totalRestakedETH is greater than the calculated assets based on their current share balance.

    function _burnSlashed(address nodeOwner) internal {
        NativeVaultLib.Storage storage self = _state();
        NativeVaultLib.NativeNode storage node = self.ownerToNode[nodeOwner];

        uint256 slashedAssets;
        // Account for rounding errors which might make convertToAssets() > totalRestakedETH
        if (node.totalRestakedETH > convertToAssets(balanceOf(nodeOwner))) {
            // slashed ETH = total restaked ETH (node + beacon) - share price equivalent ETH
            slashedAssets = node.totalRestakedETH - convertToAssets(balanceOf(nodeOwner));
        }

        // sweepable ETH = min(ETH available on node that has been minted shares for, total slashed ETH)
        uint256 slashedWithdrawable = Math.min(node.withdrawableCreditedNodeETH, slashedAssets);

        // withdraw sweepable ETH to slashStore
        INativeNode(node.nodeAddress).withdraw(address(0), slashedWithdrawable);

        // update total restaked ETH available (node + beacon)
        node.totalRestakedETH -= slashedWithdrawable;
        node.withdrawableCreditedNodeETH -= slashedWithdrawable;
    }

Conclusion

The applied mitigation effectively resolves the rounding error issue by implementing safeguards that prevent underflows during slashing calculations.

[c4-judge]

MiloTruck marked the issue as satisfactory