A node operator’s minipoolCount
could go wrong when the state is ERROR
#666
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-235
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L484
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L221
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L459
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L437
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L658
Vulnerability details
Impact
A node operator’s
minipoolCount
increases when callingMinipoolManager.createMinipool
andMinipoolManager.recreateMinipool
. And the count decreases only when callingMinipoolManager.cancelMinipool
,MinipoolManager.recordStakingEnd
andMinipoolManager.cancelMinipoolByMultisig
.But if a staking error occurred while registering the node as a validator.
MinipoolManager.recordStakingError
will be called. And the state transits toMinipoolStatus.Error
. It doesn’t decrease the minipool count of the node operator. AndMinipoolManager.cancelMinipool
,MinipoolManager.recordStakingEnd
andMinipoolManager.cancelMinipoolByMultisig
cannot be called when the state isMinipoolStatus.Error
.Currently, if
minipoolCount
goes wrong, onlyClaimNodeOp.calculateAndDistributeRewards
will be affected. A node operator’s rewards time will never be reset. But it could lead to a potential disaster ifminipoolCount
is used in the future.Proof of Concept
A node operator’s
minipoolCount
increases when callingMinipoolManager.createMinipool
andMinipoolManager.recreateMinipool
.Staking.increaseMinipoolCount
is calledAnd the count decreases only when calling
MinipoolManager.cancelMinipool
,MinipoolManager.recordStakingEnd
andMinipoolManager.cancelMinipoolByMultisig
.Staking.decreaseMinipoolCount
is called.But If
MinipoolManager.recordStakingError
is called.Staking.decreaseMinipoolCount
won’t be called.Tools Used
Manual Review
Recommended Mitigation Steps
minipooCount
should correctly decrease when the state transits toMinipoolStatus.Error
Call
staking.decreaseMinipoolCount(owner);
inMinipoolManager.recordStakingError
orMinipoolManager.finishFailedMinipoolByMultisig
.The text was updated successfully, but these errors were encountered: