Mitigation Confirmed for Mitigation of M-14 Issue mitigated #39

code423n4 · 2023-02-14T14:02:52Z

C4 issue

M-14: any duration can be passed by node operator

Comments

Anyone can call createMinipool() with nodeID, duration, delegationFee parameters.
The original implementation did not have sanity checks for duration, delegationFee parameters and this could lead to various issues.

H-06 MinipoolManager: node operator can avoid being slashed showed an attack path that the node operator can avoid being slashed by providing bad input parameters that will cause revert on slash.
This QA report showed that recordStakingEnd() can revert due to overflow.

Mitigation

PR #38
Double checked the Avalanche documentation about the requirements for duration, delegationFee.

The mitigation added new sanity checks as below.

Tests

There were several unreasonable test cases in the original code base (e.g. 0 duration) and these are fixed now. All passing.

Note

There is another issue found in the mitigation for H-04 and it is slightly related to this one.

Conclusion

LGTM

The text was updated successfully, but these errors were encountered:

c4-judge · 2023-02-20T09:49:24Z

GalloDaSballo marked the issue as satisfactory

code423n4 added mitigation-confirmed MR-Mitigation of M-14 Issue mitigated labels Feb 14, 2023

code423n4 added a commit that referenced this issue Feb 14, 2023

hansfriese issue #39

958d85d

c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 20, 2023

Simon-Busch added MR-M-14 and removed MR-Mitigation of M-14 Issue mitigated labels Feb 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mitigation Confirmed for Mitigation of M-14 Issue mitigated #39

Mitigation Confirmed for Mitigation of M-14 Issue mitigated #39

code423n4 commented Feb 14, 2023

c4-judge commented Feb 20, 2023