Slashed GGP tokens are sent to a wrong contract and trapped #571
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-532
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L670
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/Staking.sol#L379
Vulnerability details
Impact
Slashed GGP tokens are trapped in the ProtocolDAO contract and liquid stakers are not compensated.
Proof of Concept
The protocol has a mechanism to slash GGP tokens when the nodes did not operate well (uptime less than 80%).
But looking at the function
slashGGP()
, the slashed GGP tokens are transferred to theProtocolDAO
contract and there is no way to transfer/spend those.I believe it is supposed to be sent to
ClaimProtocolDAO
contract, not theProtocolDAO
, so that it can be spent later.Furthermore, I don't see any mechanism to compensate the victim liquid stakers.
I believe the protocol intends to exchange the slashed GGP tokens into AVAX and put into the
TokenggAVAX
so that liquid stakers can claim.Tools Used
Manual Review
Recommended Mitigation Steps
ClaimProtocolDAO
contract so that the protocol can spend later.The text was updated successfully, but these errors were encountered: