dos to recordStakeEnd and slash in MinipoolManager #131
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-494
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L385-L440
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L424-L426
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L670-L683
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/Staking.sol#L379-L383
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/Staking.sol#L94-L97
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/BaseAbstract.sol#L195-L197
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/Storage.sol#L176-L178
Vulnerability details
Impact
ggp is staked by node operator as a collateral for liquid stakers avax. However, there are conditions whereby slash will revert and therefore causing recordStakeEnd to revert too in the event that rialto wants to slash the node operator for bad behaviour. The funds will be stuck and there is no way forward unless rialto decides to reward node operator even though they are meant to be slashed.
Proof of Concept
When rialto decides to slash a node operator, they call recordStakingEnd with 0 avaxTotalRewardAmt. This will call slash which will call staking's slashGGP. Order of function calls, recordStakingEnd -> slash -> slashGGP.
However, notice slashGGP, it decreaseGGPStake directly from stakerAddr.
This will result in a revert if stakedGGP for staker is less than expectedAVAXRewardsAmt due to underflow for the staker.item storage. Below are conditions that might result in a revert.
This proof of concept in MinipoolManager.t.sol shows a 12 month validation period which the protocol incentivizes node operator to sign up for according to the docs. By just dropping the price of ggp in avax from 1 ether to 0.9 ether, the staked GGP is insufficient in covering the expectedAVAXRewardsAmt and therefore causes dos to recordStakeEnd with slash reverting.
Tools Used
Foundry
Recommended Mitigation Steps
Recommend making ggp staked liquidable so that it can be liquidated in the event ggp staked dropped below expectedAVAXRewardsAmt and also making ggp staked amount required based on the duration of days staked.
The text was updated successfully, but these errors were encountered: