search

hats-finance / Kintsu-0x7d70f9442af3a9a0a734fa6a1b4857f25518e9d2

Smart contracts for Kintsu
Other
0 stars 0 forks source link

Minimum Stake Not Checked for Each Nomination Agent #48

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x109b9c70352753d22fcdd5f5ccae2d8b22a9b8be3293ebcf259c396fbed7008e Severity: medium

Description: Description The minimum stake that can go through a nomination pool is 10 AZERO, and the stake function contract checks for this value as shown here. The issue is that this check should be done for each agent, not just the input stake amount.

Impact The lack of this check can cause the stake function to fail, leading to a Denial of Service (DoS) scenario when staking amounts that are split between multiple agents fall below the minimum required stake for each agent.

Proof of Concept (PoC), Scenario Each agent's bond amount is calculated in the delegate_bonding function. Consider the following scenario:

  1. A user sees the minimum stake is 10 AZERO.
  2. There are two nomination agents, each with a weight of 1, so each agent will receive 5 AZERO from a 10 AZERO stake.
  3. When the user stakes 10 AZERO, the initial check passes, but the call to each nomination agent reverts with a CallRuntimeFailed error because the amount each agent receives (5 AZERO) is below the minimum stake requirement.

Revised Code File (Optional) Instead of checking the user's stake amount, find the lowest amount that will go to an agent and check that against the minimum stake.

bgibers commented 1 month ago

I think this is better categorized as a low instead of a medium, since no funds or functionality is at risk. It cannot be abused to DOS and only applies when a new pool is first added to the protocol or a weight is set to >0

aktech297 commented 1 month ago

Minimum stake is supposed to be on the user not on the agents.

Agents are nominated by the admin.

@bgibers do you think this qualify for low..? isn't something as per design.

bgibers commented 1 month ago

Minimum stake is supposed to be on the user not on the agents.

Agents are nominated by the admin.

@bgibers do you think this qualify for low..? isn't something as per design.

I believe @0xmahdirostami is right here, as per the proof of concept presented. We have discussed some solutions that will fix this issue as well as several others, related to Kintsu being the initial deposit per nomination pool

bgibers commented 1 month ago

After final internal review of all issues this is deemed better as a medium