New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
the lack of checks for Minipool duration which can cause multiple issues like penalty bypass or fund loss #694
Comments
Primary because it groups findings, but I think the warden should have separated the Slash grief vs the Duration check |
GalloDaSballo marked the issue as primary issue |
Agreed on the separation of slash grief vs duration check. 1, 2 and 4 will be addressed with a better duration check during the slash calculation. I'll mark this as a duplicate and link to the other issue when I find it.
|
emersoncloud marked the issue as disagree with severity |
Impact 1 & 2 is not valid as it would result in recordStakingError() |
Only valid impact for this issue |
duplicate of #493 |
In contrast to other reports, this report shows:
|
GalloDaSballo changed the severity to 2 (Med Risk) |
Duplicate of #533 |
GalloDaSballo marked the issue as grade-c |
Closing after having split this into 2 |
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L191-L269
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L380-L440
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L442-L478
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L667-L683
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L553-L561
Vulnerability details
Impact
duration of the Minipool is specified by node runner and it should be between 14 days to 356 days and Multisig should recreate Minipool at 14 days long so that total duration would be covered and if node runner fails the validation then contract would slash node runner and distributes his ggp collaterals between liquidity staker. in current implementation there is not enough checks and validation for duration of the Minipools to ensure all the features based on Minipool's duration the impacts are:
Proof of Concept
This is
createMinipool()
code:As you can see there is no check that duration is between 14 days and 365 days and it's possible to create Minipools with duration as 0 and Minipools with duration as very big number. This is
slash()
andgetExpectedAVAXRewardsAmt()
code:As you can see the slash amount is calculated based on Minipool's duration (
(avaxAmt * duration) / (rate * 365)
) .recordStakingEnd()
with 0 rewards and node runner would get slashed for whole duration while node runner generated validation reward for most of the duration time.This is the
recreateMinipool()
code:As you can see there is no check that Multisig is not over recycling Minipool and if a user creates a validation node (prepare hardware) for specific amount of time for example 140 days and create a Minipool for 140 days for his node and he expects that Minipool would end after 140 days but there is no logic in the code to ensure this and Multisig can recreate Minipool and the real duration of the Minipool can extend the 140 days and because node runner hardware won't be available more than 140 days so node runner would fail to validate and generate reward in the last cycle and he would be slashed for the whole duration while node runner had valid node for the entire duration. code should have some checks and make sure Multisig won't over recreate Minipool.
Tools Used
VIM
Recommended Mitigation Steps
add more checks for duration value and also fix the logic of slash() to only slash time node didn't work properly and change recreateMinipool() to make sure Multisig won't over recreate Minipool.
The text was updated successfully, but these errors were encountered: