New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
recreateMinipool()
could lead to losing funds
#423
Comments
Basically dup of #569 with some extra info |
Case 1 depends on Rialto making a mistake. It would not call recreate() on a minipool that had never staked. And we are assuming for the audit that Rialto is a perfect actor so this is invalid. Case 2 I do not really understand... Seems like it is working as intended. Our UI will prevent anything that is not in 14day increments, but even if that wasnt there the staking would fail and recordStakingError() would be called after claimAndInitiateStaking(). |
GalloDaSballo marked the issue as duplicate of #569 |
GalloDaSballo marked the issue as partial-50 |
Basically issues with validation that can lead to issues but unclear -> awarding 50% because the FSM / check is incorrect but is not as accurate as 569 |
GalloDaSballo changed the severity to QA (Quality Assurance) |
Changed the severity back to M as requested by @GalloDaSballo |
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L444-L478
Vulnerability details
Impact
The Vault will lose funds
The nodeOP will be
slash()
The minipool can be active for infinite cycles
Proof of Concept
“...behind the scenes, Rialto will only create a validator for 14 days. At the end of the 14 days, the Avalanche protocol pays out the validation rewards and all funds are returned to the contracts, which divvy up the rewards between liq stakers and nodeops. If the duration still has time left to go, Rialto will call recreateMinipool which will do another 14 days cycle…”
After 14 days Rialto will invoke
recordStakingEnd()
**Case 01: **
Duration still has time left to go. Rialto will call
recreateMinipool()
which will do another 14 days cycle.malicious Multisig or by mistake can invoke
recreateMinipool()
even if the minipool has no fund on itPlease copy the following POC on MinipoolManager.t.sol
Case 02:
This is the last cycle. Or the time left is smaller than 14 days
malicious Multisig or by mistake can invoke
recreateMinipool()
, so in case ofthe node op can shut down the node and he just decided to leave his fund in the vault for a period of time, so no reward for this minipool this will lead to
slash()
. You can avoid this case by checking the time leftPlease copy the following POC on MinipoolManager.t.sol
Recommended Mitigation Steps
Add more checks on
recreateMinipool()
The text was updated successfully, but these errors were encountered: