-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node Operator could lose his money by mistake or by a malicious user #425
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-213
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Jan 2, 2023
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
GalloDaSballo marked the issue as duplicate of #213 |
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Feb 3, 2023
GalloDaSballo changed the severity to 3 (High Risk) |
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
downgraded by judge
Judge downgraded the risk level of this issue
and removed
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
labels
Feb 8, 2023
GalloDaSballo changed the severity to 2 (Med Risk) |
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
downgraded by judge
Judge downgraded the risk level of this issue
labels
Feb 8, 2023
GalloDaSballo changed the severity to 3 (High Risk) |
GalloDaSballo marked the issue as satisfactory |
c4-judge
added
satisfactory
satisfies C4 submission criteria; eligible for awards
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
labels
Feb 8, 2023
GalloDaSballo changed the severity to QA (Quality Assurance) |
Simon-Busch
removed
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
labels
Feb 9, 2023
Simon-Busch
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
labels
Feb 9, 2023
Changed severity back from QA to H as requested by @GalloDaSballo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-213
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L164
Vulnerability details
Impact
Node Operator will lose all AVAX funds of his minipool + he can't use his minipool for a period of time
Proof of Concept
Case 01:
The status of the minipool is Withdrawable the node op can invoke
createMinipool()
(by mistake) before callingwithdrawMinipoolFunds()
to receive his money back first.Here the node op will lose both
avaxNodeOpAmt
andavaxNodeOpRewardAmt
on this specific nodeIDCase 02:
The status of the minipool is Error the node op can invoke
createMinipool()
(by mistake) before callingwithdrawMinipoolFunds()
to receive his money back first.Here the node op will only lose
avaxNodeOpAmt
because theavaxNodeOpRewardAmt
are 0.Case 03:
The status of the minipool are Withdrawable or Error any malicious user (or a normal node op passed a different nodeID ) could invoke
createMinipool()
.He will be the owner of this node op
and the first node op will lose his funds forever + he needs to wait until the Multisig change the state to Error , Canceled or Finished to reuse the same minipool
Please copy the following POC on MinipoolManager.t.sol
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: