New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users should still be slashed the total amount of their GGP staked even if they do not meet the calculated amount #561
Comments
Despite the nuance I think this ultimately is a dup of the reports using a longer duration to cause an overflow and prevent slashing |
GalloDaSballo marked the issue as duplicate of #136 |
GalloDaSballo marked the issue as not a duplicate |
GalloDaSballo changed the severity to 3 (High Risk) |
GalloDaSballo changed the severity to 2 (Med Risk) |
GalloDaSballo marked the issue as duplicate of #494 |
GalloDaSballo marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L670-L683
Vulnerability details
Impact
Currently,
slash()
will revert if the calculated amount of staked GGP is more than node operator's staked amount as they do not have enough to pay for it. This is problematic as in such situations, the function will revert instead of simply slashing all of their staked amount.Proof of Concept
Currently, there is a 10% requirement of GGP staked in order for a node operator to create a minipool. This is used as a precaution to compensate liquid stakers if node operator does not fufill its obligations. However, there is no guarantee that this amount is sufficient.
Slash amount is calculated based on the expected AVAX reward amount. It might be possible for this amount to be higher than the minimum GGP staked amount.
MinipoolManager.sol#L670-L683
When we slash a user, we are subtracting their current staked GGP with
slashGGPAmt
. This can underflow and revert the slash function if they do not have enough.Tools Used
Manual Review
Recommended Mitigation Steps
We have a simple and effective fix for this.
We can slash the minimum of
slashGGPAmt
and staker's GGP stake instead.The text was updated successfully, but these errors were encountered: