Open hats-bug-reporter[bot] opened 10 months ago
This is by design.
Our idea here is that the whole thing is an optimistic process - i.e. we assume all parties are in good faith, and if they are not this is an exception, not the rule. So in the scenerio you describe, the vault committee's claim has been overruled by the expert comittee's claim, and the expert committee's claim is then dismissed by the court. If things are working as they should, this should not happen (i..e we normally expect the vault committee's claim to be fair, and if it is not, then definitely the expert committee's claim should be fair). If both of these committee's fail (according to the kleros court), something has Really Gone Wrong.
We think it is good that in this case, depositors can withdraw from the vault.
Github username: @bahurum Submission hash (on-chain): 0x1398bad727b98575f754097c690fc0bd1e63666ab475956b31251410b77bb25f Severity: medium
Description: Description\ A depositor of the
HATVault
has the possibility to withdraw its deposit and avoid paying for a bounty if the arbitration process over the bounty amount is not conclusive (the claim is disputed, the dispute is accepted by the expert committee but the resolution is dismissed by the court).Attack Scenario
dismissResolution()
. The claim is dismissed and no payout is madeSome depositors in the vault know that the bug is real and some payout must be made either for medium or high severity. They Call
HATVault.withdrawRequest()
in the period of time between 1. and 5. Even if they don't know beforehand if the arbitration process will end in a resolution dismissal (as above) or how much time it will take, it is likely that some depositor will manage to time the withdraw request right so that the resolution is dismissed during theirwithdrawRequestEnablePeriod
, and they are able to withdraw their deposit in full just after the resolution is dismissed.When a new claim is made for the bounty and the claim is approved after a second arbitration, the bounty that will be payed will be smaller because some depositors exited the vault.
Recommendation\ A solution to this issue is to block calls to
withdrawRequest()
during an active claim and to check thatwithdrawRequestEnablePeriod + withdrawRequestPendingPeriod
time has elapsed since the creation of the claim so that any withdraw request created before the claim submission has expired.