New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple withdrawals of the same AVAX deposit #269
Comments
GalloDaSballo marked the issue as duplicate of #484 |
GalloDaSballo marked the issue as partial-50 |
Less grounded in reality (front-run is necessary), but ultimately shows a wrong FSM state so valid |
GalloDaSballo marked the issue as duplicate of #569 |
GalloDaSballo changed the severity to 2 (Med Risk) |
GalloDaSballo changed the severity to QA (Quality Assurance) |
Changed the severity back to M as requested by @GalloDaSballo |
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L293-L302
Vulnerability details
Impact
The node operator may withdraw the same AVAX deposit amount multiple times.
Proof of Concept
Recreated minipool still has the originally deposited AVAX amount in storage, even though this deposit was already withdrawn by calling
withdrawMinipoolFunds(...)
(here). This allows for multiple withdrawals of deposit amount of AVAX but only once sending AVAX to protocol (on creation of minipool). Consider scenario:Withdrawable
state and the node operator withdraws deposit and rewardsrecreateMinipool(...)
to recreate minipoolWithdrawable
state again, the node operator can withdraw deposit againThe amount of provided deposit is only reset when the minipool is updated with
createMinipool(...)
, but not withrecreateMinipool(...)
.Tools Used
Maunal review
Recommended Mitigation Steps
Consider resetting the amount of the deposit when recreating the minipool.
The text was updated successfully, but these errors were encountered: