New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Canceled miniPools that are recreated will drain the contract. #584
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-569
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Jan 3, 2023
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
GalloDaSballo marked the issue as duplicate of #484 |
Dup of #484 without front-run, awarding half |
GalloDaSballo marked the issue as partial-50 |
c4-judge
added
the
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
label
Jan 10, 2023
GalloDaSballo marked the issue as duplicate of #569 |
c4-judge
added
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Feb 9, 2023
GalloDaSballo changed the severity to QA (Quality Assurance) |
Simon-Busch
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
and removed
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
labels
Feb 9, 2023
Changed severity back to M as requested by @GalloDaSballo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-569
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L324-L343
Vulnerability details
Impact
Recreating canceled pool is allowed even though it uses other operator's money.
If processed is accidentally repeated multiple times it can drain
MinipoolManager.sol
Proof of Concept
When can pool be cancelled? - 5 day window after staking start time during Prelaunch state, set in create.
Pool is created
avaxStaked
=msg.value
=avaxNodeOpAmt
avaxAssigned
= avaxAssignmentRequest =msg.value
(should be 1:1 tomsg.value
)Pool is canceled (within 5 days)
avaxStaked
= 0AVAX
is sent back to owner of minipool. This part is relevant because when pool is recreatedAVAX
is not returned.Pool is recreated (Prelaunch)
avaxStaked
=avaxNodeRewardOpAmt
= 0- avaxNodeRewardOpAmt = 0. avaxNodeRewardOpAmt is only set when calling RecordingStakingEnd
avaxNodeOpAmt
= previous msg.value when created. (even though the staking balance has been decreased)msg.value
+ 0;avaxAssigned
=avaxNodeOpAmt
-Does this pass the collateralization ratio? - yes the GGPstaked is not affected.
-- Extremely unlikely scenario: If steps above are repeated multiple times the MinipoolManager.sol balance will be drained. Continuing execution flow:
Rialto calls claimAndInitiateStaking
ggAVAX.withdrawForStaking(avaxLiquidStakerAmt);
still goes through. doesn't use funds it shouldntvault.withdrawAVAX(avaxNodeOpAmt);
totalAvaxAmt
is staked on Avalanche even though theavaxNodeOpAmt
half is not the operator's money.recordStakingStart
recordStakingEnd
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L273-L283
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L324-L343
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L444-L478
Recommended Mitigation Steps
Do not allow canceled Minipools to be recreated.
The text was updated successfully, but these errors were encountered: