Open hats-bug-reporter[bot] opened 1 month ago
@bgibers This should be a dup of #50, it's the same root cause.
@bgibers This should be a dup of #50, it's the same root cause.
let me take a look, ty ser
@coreggon11 I'm not entirely sure how Hats defines duplicates within their competition. The scenario and solution are going to be the same as that within 50, but the issue is different. We're fine leaving it as a medium
In certain scenarios (blocking or destroying), if a malicious user unbonds or withdraws, it will cause issues. Even though the scenario is the same, and both issues can be mitigated by handling either blocking or destroying, but the specific issues are different. I don't think it's a duplicate. Actually, it would be better to add these two numbers, 63 and 50, in one submission. However, we couldn't determine if one of them is a duplicate.
Yeah, I'm aware it's a valid find but usually, issues arising from the same root cause are duplicates (otherwise you can just spam 20 different issues on one root cause) 😄
Yeah, I'm aware it's a valid find but usually, issues arising from the same root cause are duplicates (otherwise you can just spam 20 different issues on one root cause) 😄
I think the scenario where issues could happen is the same, but not the root of it. For example, if the auditor just submits #50, and the sponsor mitigates the issue related to withdrawal, the current issue with unbond will remain.
The root cause is Permissionless calling of withdraw_unbonded
when the pool is in destroy mode and the target is not the depositor for both issues IMO.
this issue: The staked value does not get updated if someone performs a Permissionless calling unbond operation for a pool. issue #50: The tokens will stuck in the agent if someone performs a Permissionless calling withdraw_unbonded operation for a pool.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x2d23de0c9d7156034066433cc1df3172c24047206c11edb578419542588dd525 Severity: medium
Description: Description\
Unbounding process will be triggered via this
start_unboud
function below:The issue here is
staked
value will be unsynced due to the unbond can be permissionlessly called by anyone whenthe pool is destroying and the member is not the depositor
.Thus when someone trigger this
unbond
operation for a pool, thisstaked
value is not updated.This
staked
var is fetched viaget_staked_value
then it finally called inget_weight_imbalances
. Using outdatedstaked
value, this can affectdelegate_unbonding
allocation.Also, when the
staked
value is not synced, and there is adelegate_unbonding
, at the end this will revert due to unbond more than existing amount bonded, another DOS will happen.Attack Scenario
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Recommendation
Since
unbond
operation can be permissionlessly called in a certain situation, when fetchingstaked
data, it need to be directly call to the pool for an updated value.