Open hats-bug-reporter[bot] opened 1 year ago
The exit signatures are encrypted with the oracles public keys and stored to the IPFS. The hacker would have to get hold of the private keys of the oracles to decrypt and get hold of the exit signatures.
Github username: @akshaysrivastav Submission hash (on-chain): 0xb8f60c0cd7846b9c790947d801554d12e143d54a270bc363b5ec0f1f21b2eacc Severity: high
Description:
Description
Stakewise V3 intends to permissionlessly allow creation and management of validators. It also provides mechanisms to initialize and exit validators for vaults without having dependency on vault's deployer.
However while creating the open validator exit mechanism, the protocol exposes the exit signatures of validators publicly.
KeeperValidators.sol
It can be seen that the
approveValidators
&updateExitSignatures
functions openly accepts theexitSignaturesIpfsHash
input, this value is also logged in events. The use ofstring
type parameter also indicates that the parameter contains the IPFS hash of signatures and not the hash of IPFS hash.Since data on IPFS network is publicly accessible, anyone can read the exit signatures of validators. After that these exit signatures can be submitted to Ethereum consensus network due to which all validators supported via Stakewise protocol will be removed from consensus protocol.
Impact:
An attacker can forcefully make all validators of all vaults exit the Ethereum consensus network. This breaks the core offering of Stakewise V3 as no validators can successfully propose blocks ever.
Attack Scenario
Mitigation
IPFS is a public network so storing sensitive signatures on IPFS is not safe. Moreover no such information should be stored on Ethereum chain as well. It will be better to store the signatures in the keeper oracle network.
Attachments