Open hats-bug-reporter[bot] opened 1 month ago
Github username: -- Twitter username: -- Submission hash (on-chain): 0xa1831e597d297298b9a2f85b76ebd02df7e13008d4dc569249e2a87117190381 Severity: medium
Description: Description\ As stated in Conditions for a permissionless dispatch, when The pool is in destroy mode and the target is not the depositor., the nomination-pools.withdraw_unbonded can be called by anyone. Which consistents with nomination-pools.ok_to_withdraw_unbonded_with called in nomination-pools#L2256, and at the end of nomination-pools.withdraw_unbonded, the GasToken(AZERO) will be transferred to member_account which is nomination_agent in our case. Then according to nomination_agent.nomination_agent, the amount of GasToken(AZERO) sent to valut will be withdrawn = after - before;
The pool is in destroy mode and the target is not the depositor.
nomination-pools.withdraw_unbonded
member_account
nomination_agent
nomination_agent.nomination_agent
Attack Scenario\ So please consider in a case that the pool is in destroy mode, and someone else calls nomination-pools.withdraw_unbonded before the valut calls nomination_agent.withdraw_unbonded, the GasToken(AZERO) will be transferred to nomination_agent, and then when the vault calls nomination_agent.withdraw_unbonded, because the token has already be transferred to nomination_agent, the withdrawn = after - before will zero.
Which means that the GasToken(AZERO) won't be transferred to vault.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xa1831e597d297298b9a2f85b76ebd02df7e13008d4dc569249e2a87117190381 Severity: medium
Description: Description\ As stated in Conditions for a permissionless dispatch, when
The pool is in destroy mode and the target is not the depositor., the nomination-pools.withdraw_unbonded can be called by anyone. Which consistents with nomination-pools.ok_to_withdraw_unbonded_with called in nomination-pools#L2256, and at the end ofnomination-pools.withdraw_unbonded, the GasToken(AZERO) will be transferred tomember_accountwhich isnomination_agentin our case. Then according tonomination_agent.nomination_agent, the amount of GasToken(AZERO) sent to valut will be withdrawn = after - before;Attack Scenario\ So please consider in a case that the pool is in destroy mode, and someone else calls nomination-pools.withdraw_unbonded before the valut calls nomination_agent.withdraw_unbonded, the GasToken(AZERO) will be transferred to
nomination_agent, and then when the vault calls nomination_agent.withdraw_unbonded, because the token has already be transferred to nomination_agent, the withdrawn = after - before will zero.Which means that the GasToken(AZERO) won't be transferred to vault.