Closed sherlock-admin4 closed 3 months ago
The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/362
Escalate
I don't think this is an issue as it seems to be working as designed.
Additionally, the PR mentioned is from the 25th of June.
Escalate
I don't think this is an issue as it seems to be working as designed.
Additionally, the PR mentioned is from the 25th of June.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
I don't think this is an issue as it seems to be working as designed.
It's not desired to trick the system into having a way out before other users. Issues regarding sceduling withdraws to bypass/lower withdraw windows are common in contests. In the above example it's clearly shown how sceduling such withraws can gain you advantage when it comes to withdraws.
Escalate
I don't think this is an issue as it seems to be working as designed.
Additionally, the PR mentioned is from the 25th of June.
I don't think this is desired behavior, as it allows a user to game the withdrawal system by having a withdrawal perpetually scheduled.
Hi @mystery0x, allowing the participants to still be active even if they have a stake removal in progress and to have the ability to cancel it any time they want is a design choice as outlined in the README's Q: Please discuss any design choices you made. section.
The README doesn't clearly state what's desired behavior and what's not.
It's desired that users can schedule withdraws and cancel them if need be, but besides that it doesn't cover the above case. It's not desired for users to lower or even skip the withdraw queue. Given the fact that users are still treated normally -- can perform actions/earn rewards -- then nothing would prevent a user from employing such tactic to lower/skip the waiting period of the queue.
Hi @0x3b33,
The users are not lowering or skipping withdrawals queue, the cooldown period is still enforced for each withdrawal and they are just using the provided functionality as it was designed.
For reference, please check the judging criteria docs :
Design decisions are not valid issues. Even if the design is suboptimal, but doesn't imply any loss of funds, these issues are considered informational.
User experience and design improvement issues: Issues that cause minor inconvenience to users where there is no material loss of funds are not considered valid. Funds are temporarily stuck and can be recovered by the administrator or owner. Also, if a submission is a design opinion/suggestion without any clear indications of loss of funds is not a valid issue.
Hey @imsrybr0 Thanks for quick reply, really appreciate it.
Design decisions are not valid issues. Even if the design is suboptimal, but doesn't imply any loss of funds, these issues are considered informational.
I agree it's a design decision, but it's more than suboptimal, given that users would be able to schedule their withdraws constantly and cancel them before expiration they would be able to lower the impact of our withdraw queue - a core component of the system. I think the above report gave a clear description of how that is done and how it impacts the system.
Here is a similar medium issue - 162, that explained how a design decision impacts the system.
I see the confusion here and how it may seem intended. Before we get to it, I want to clarify three things:
- There's no loss of funds and it's just a "broken" functionality?
No direct loss of funds, just broken core functionality.
- Does the user execute the withdrawal themselves or it's done by a trusted operator, i.e. does the user schedule a withdrawal and then withdraw themselves when the delay is over, or do they schedule a withdrawal and then an operator executes it after a delay?
Withdraws are scheduled executed automatically when they reach their end. However during that schedule users are treated as active, as if they haven't scheduled a withdraw. They would be able to impact the system (upload losses) and get rewards.
In a sense the system doesn't differentiate between a reputer who has scheduled 100% of his stake to be withdrawn and one that hasn't.
Thank you for these clarifications, but in that case, I would say it's the design of the protocol with a suboptimal tradeoff. Hence, since it doesn't cause a loss of funds, I believe it should be low severity:
Design decisions are not valid issues. Even if the design is suboptimal, but doesn't imply any loss of funds, these issues are considered informational
Planning to accept the escalation and invalidate the report
Result: Invalid Unique
0x3b
Medium
Actors can game the withdraw waiting time
Summary
Actors can keep a withdrawal request scheduled all the time, which enables them to cut the withdrawal waiting time in half (or more).
Vulnerability Detail
As the README explains, participants who have scheduled a withdrawal still fully participate in the system.
This is actually implemented in the code, as RemoveStake (inside
msg_server_stake
) only records the removal and RemoveStakes (insidestake_removals
) does the system changes.This enables users to always have a withdrawal scheduled and cancel it just before it gets executed if they want to stay, and let it execute if they want to leave. This will cut the waiting period significantly. Here are two examples:
At time T, both users decide to leave because of some event, either inside or outside the system. User1 will already have his withdrawal request at N% completed (where N is between 0% and 100%, average 50%), and User2 will have his withdrawal request at 0% (he just made one).
Impact
Users can game the withdrawal system by having a withdrawal constantly scheduled.
Code Snippet
Tool Used
Manual Review
Recommendation
This is an issue in many protocols with withdrawal queues. A general solution is to keep their commitment (the stake can be impacted), but remove their rights (they can't act on the system).