Open hats-bug-reporter[bot] opened 1 month ago
good find frend
some comments on this.
If a user want to raise the unlock request, they have to transfer the sAZERO first.
Whenever a request is created, if ID already exists, that id would be used, no new id will be created.
correct me if i am wrong.
@aktech297 yes, but when processing the batch requests, a single request can be processed multiple times. The attacker would not gain more tokens, but total pooled would be decreased multiple times, and next transfers expect that the total pooled value is at least the total amount of claims, which it will be not, so not all tokens will be available for withdraw.
'A single request can be processed multiple time '
I think once the request is processed, it is removed from the list. Pls check
@aktech297 Please look at the code of the Valut contract, then on the PoC and run it.
Addressed in kintsu-contracts@461fe1
Hi @bmino, I have checked the fix. How do you ensure that the Vec coming in is sorted? If you do not enforce it, malicious users could still abuse this. Please correct me if I missed something.
EDIT: I have checked the fix again. You are checking if i-th id is greater than (i-1)-th id which enforces it, so it seems OK to me 😄
Addressed in kintsu-contracts@461fe1
Seems good
Github username: @coreggon11 Twitter username: krikoeth Submission hash (on-chain): 0x1bda75aedd1a99a341c83ebcc4df13c20679af8863a06c9d29b1f32170384788 Severity: high
Description:
Description
Users who stake AZERO can withdraw their stakes by first calling
request_unlock
and then, after a certain period they will callsend_batch_unlock_requests
to retrieve the tokens they requested to the vault, along with other requesters in the batch, to callredeem
afterwards. The contract checks if abatch_id
was already unlocked, and reverts if it was. However, users can send duplicatebatch_ids
to a single call, resulting in thetotal_pooled
being decreased several times by the same amount of requested withdrawals. Sincetotal_pooled
can be brought to near 0 this way, future calls tosend_batch_unlock_requests
will revert, resulting in users being unable to withdraw, since decreasing oftotal_pooled
by a value greater thantotal_pooled
will overflow and revert.Proof of concept
Consider the following test:
Alice calls
send_batch_unlock_requests
with duplicatefirst_batch_id
, which will decrease thetotal_pooled
by 1_000_000, although Alice is only withdrawing 500_000. We panic in the test to see the debug log, which results in the following:We can see that
total_pooled
was decreased by 1_000_000 (some dust left). The claims left are 4_500_000, and it is impossible to get it all back now. If we duplicate thebatch_id
more times, we can bring it to almost 0.Recommendation
Consider not allowing duplicate
batch_ids
in thesend_batch_unlock_requests
function.