New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
M-01 redeem Lacks Slippage Protection #32
Comments
Does adding slippage protection open up a somewhat niche but still real front-run attack. Specifically when a RAV is submitted for an EscrowAccount with low funds.
|
Discussion from slack about solutions and trade-offs: Me:
Pablo V.:
Also for reference here is a previous discussion on this topic #5 |
One more possible solution that was considered: Split the redeem API into two functions:
This would allow indexer code to either choose either slippage protection with a tradeoff of extra gas or to choose all or nothing redeem (reverts if there is not enough to completely redeem RAV). |
Final decision is to leave the code as is (option #2). This allows flexibility while maintaining a low gas cost. The documentation will be updated to reflect the expectation of the indexer. Some context for the decision:
|
Pasting below a comment from OpenZeppelin reviewer from Slack, Aug/22/2023, 6:20AM PST: Thanks for the great discussion @ColePBryan and Pablo and laying out the ideas clearly. I see a few considerations. Allow me to summarise to form an opinion. On (#1): The purpose of setting a slippage is to protect an honest indexer from a rogue sender/signer pair. For instance, a rogue sender pairs with a rogue signer could sign away more value than they plan to pay to honest indexers. The rogue sender could either (a) deposit nothing/little for the indexer; or (b) pre-thaw and revoke the signer to invalidate a voucher. In both cases, the indexer gets nothing/little when redeeming. In (a), it can’t redeem again and the voucher is considered used; In (b), the voucher can’t be used unless the same signer is again authorised by the same/different sender who could deposit into the escrow account for the indexer. This may create further problems/confusion when different gateways re-issue (or issue more than once) RAVs against one allocationID. In (a), by allowing the indexer to drain however much is available is a better protection than reverting. In (b), there isn’t much the indexer can do at this stage. This argument would favour (#2) and (#3) over (#1). However the outcome of (#2) and (#3) may be the same. |
The redeem function in Escrow.sol contains the logic to determine the amount of GRT rewards an indexer will receive as the minimum of the currently available escrow balance and the aggregated amount in the voucher. This allows slippage to occur against the indexer (i.e., the indexer may get less than what is deemed acceptable).
The redeem function does not allow the indexer to specify an expected amount of rewards to receive. Therefore, it is possible that the indexer receives fewer rewards than expected, at which point the voucher that was worth more has been used and cannot be re-used. This could surprise the indexer, who may have otherwise expected the call to revert if the full reward amount could not be given to them.
Consider adding a parameter to the redeem function that allows the caller to specify an expected reward amount. If the calculated amount is not greater than or equal to the expected amount, the call should revert.
The text was updated successfully, but these errors were encountered: