Closed sherlock-admin4 closed 3 months ago
Escalate This is invalid. The event attributes are checked, not the response itself. We can see here (it's included in later versions too) that the amount unstaked is emitted in the events (with the key "amount" matching the code), so the amount will be correctly recorded.
Escalate This is invalid. The event attributes are checked, not the response itself. We can see here (it's included in later versions too) that the amount unstaked is emitted in the events (with the key "amount" matching the code), so the amount will be correctly recorded.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
It seems to me that the escalation is right. J4X-98 what do you think?
Hey @cvetanovv,
Yes indeed the issue seems to be invalid. I agree with the escalation.
Then, I plan to accept the escalation and make this issue invalid.
Result: Invalid Unique
J4X_
High
Staked tokens can never be retrieved due to old
cosmos-sdk
version on targeted chainsSummary
The Andromeda protocol will be deployed on several cosmos chains, including its own, using a
cosmos-sdk
version below 0.50. This outdated version lacks theamount
parameter in theMsgUndelegateResponse
message, causing theandromeda-validator-staking
contract to push zero-value entries into theUNSTAKING_QUEUE
. As a result, when users try to withdraw unstaked tokens, the tokens cannot be retrieved, leading to their loss. This issue affects all tokens staked through theandromeda-validator-staking
contract, rendering them unrecoverable.Vulnerability Detail
The Andromeda protocol will be deployed on the protocols own cosmos chain as well as multiple external cosmos chains. The Andromeda chain as well as multiple of the targeted other chains, use a
cosmos-sdk
version that is below 0.50:Due to the outdated version being used, an issue occurs in the unstaking process of the
andromeda-validator-staking
module. The unstaking process works as follows.The tokens aren't directly retrieved whenever the owner un-stakes some of his tokens. Instead, the number of tokens unstaked and the completion time are pushed into the
UNSTAKING_QUEUE
once theMsgUndelegateResponse
is received by the contract. After the completion time, the owner can retrieve his tokens again using theexecute_withdraw_fund()
function.On all chains that use a version below
0.50
, theMsgUndelegateResponse
message does not include anamount
parameter. The amount parameter was added to theMsgUndelegateResponse
message later. The amount parameter is only available for the newercomsomos-sdk
version, which is 0.50.Due to this the
cosmos-sdk
does not include aamount
parameter into itsMsgUndelegateResponse
messages on version 0.47.X.As a result of the outdated version, when the
on_validator_unstake()
function gets called, the response's attributes will not include anamount
attribute. This will result in theCoin::default()
(0) being used to create the struct that is pushed into theUNSTAKING_QUEUE
.When the user/owner tries to withdraw the un-staked tokens again, this will not be possible as the
Coin
objects stored in the queue all have an amount of 0.As a result, all unstaked tokens will become stuck in the contract and can not be retrieved.
Impact
This issue impacts all tokens staked through the
andromeda-validator-staking
contract, which will be lost and not recoverable. The module can not be upgraded usingmigrate(),
so the tokens will stay locked forever.Code Snippet
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-validator-staking/src/contract.rs#L314-L345
Tool used
Manual Review
Recommendation
We recommend manually noting the amount of unstaked tokens and not relying on the amount returned in the
MsgUndelegateResponse
message.