search

hats-finance / StakeWise-0xd91cd6ed6c9a112fdc112b1a3c66e47697f522cd

Liquid staking protocol for Ethereum
Other
0 stars 0 forks source link

Fund can be locked if the validator get slashed #97

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @JeffCX Submission hash (on-chain): 0x3a60d8941d78311d9f5fa154b75502db73d94e823f42865e221f5e1578b61716 Severity: medium

Description: Description\

Fund can be locked if the validator get slashed

Attack Scenario\

When a new vault is deployed, the deployer can set a capacity,

the capacity needs to be more than 32 ETH

if there are more than 32 ETH in the vault

validator can be registered and 32 ETH is deposited into beachain

but if the validator get slashed,

the build-in liquidation mechanism is not sufficient to protect user from locking their fund

https://docs-v3.stakewise.io/protocol-overview-in-depth/oseth#peg-stability

The liquidation mechanism kicks in if a user's minted osETH value exceeds 92% of their staked ETH value in the Vault. At this moment, their osETH position will be unhealthy, and anyone will be able to step in to burn the entire amount of osETH a staker has previously minted, in exchange for the underlying ETH

but the slashing in theory can slash all the validatar staked balance, which is user's fund

https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/rewards-and-penalties/#slashing

This means that 1/32 of their staked ether (up to a maximum of 1 ether) is immediately burned, then a 36 day removal period begins. During this removal period the validator's stake gradually bleeds away. At the mid-point (Day 18) an additional penalty is applied whose magnitude scales with the total staked ether of all slashed validators in the 36 days prior to the slashing event. This means that when more validators are slashed, the magnitude of the slash increases. The maximum slash is the full effective balance of all slashed validators

because in the case of slashing and if the validator cannot return the 32 ETH back or a few validator cannot return their 32 ETH back to the pool

liqudation and redemption is likely to revert in this check

 // check whether received assets are valid
      uint256 depositedAssets = convertToAssets(_balances[owner]);
      if (receivedAssets > depositedAssets || receivedAssets > withdrawableAssets()) {
        revert Errors.InvalidReceivedAssets();
      }

because there are just not enough withdrawableAssets() left for user

Attachments

  1. Proof of Concept (PoC) File

Described above

tsudmi commented 1 year ago

In case validator's full balance is slashed, every share in the vault will be worth much less ETH. The liquidator has to wait for the share price to be updated and ETH land back to the vault to execute the liquidation.