A staker with verified over-commitment can potentially bypass slashing completely #408
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-01
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
Comments
code423n4
added
2 (Med Risk)
|
0xSorryNotSorry marked the issue as duplicate of #210 |
|
GalloDaSballo marked the issue as not a duplicate |
|
GalloDaSballo marked the issue as primary issue |
c4-judge
added
the
primary issue
|
GalloDaSballo marked the issue as selected for report |
c4-judge
added
the
selected for report
|
The Warden has shown how, due to an incorrect assumption, it's possible for an over-commited staker to avoid a slashing The finding requires multiple external requirements:
For these reasons I agree with Medium Severity |
This was referenced Jun 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/core/StrategyManager.sol#L197
https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/core/StrategyManager.sol#L513
https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/pods/EigenPod.sol#L293
https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/pods/EigenPod.sol#L396
Vulnerability details
Description
In EigenLayer, watchers submit over-commitment proof in the event a staker's balance on the Beacon chain falls below the minimum restaked amount per validator. In such a scenario, stakers’ shares are decreased by the restaked amount. Note that when a full withdrawal is processed, stakers’ deducted shares are credited back to allow for a planned withdrawal on EigenLayer
If such a staker has delegated to an operator who gets slashed on EigenLayer, there is a possibility that this staker completely bypasses any slashing penalties. If overcommitment reduced the shares in the stakers account to 0, there is nothing available for governance to slash.
It is reasonable to assume that governance calls
StrategyManager::slashSharesto reduce a percentage of shares (penalty) from all stakers who delegated to a slashed operator and then resets the frozen status of operator by callingISlasher::resetFrozenStatus.By simply unstaking on the beacon chain AFTER slashing is complete (and operator is unfrozen), an over-committed staker can simply unstake on beacon chain and get back their shares that were deducted when over-commitment was recorded (refer to PoC). Note that these shares have not faced any slashing penalties.
Impact
An over-committed staker can avoid being slashed in a scenario in which their stake should be subject to slashing and so we evaluate the severity to MEDIUM.
Proof of Concept
Consider the following scenario with a chain of events in this order:
BeaconEthStrategy.EigenPod::verifyOverCommittedStakeand Alice's shares are now decreased to 0 (Note: this will be credited back to Alice when she withdraws from the Beacon Chain usingEigenPod::verifyAndProcessWithdrawal)ISlasher::resetFrozenStatus.Tools Used
Manual review
Recommended Mitigation Steps
Over-commitment needs to be accounted for when slashing such that a staker is being slashed not just shares in their account, but also the amount that is temporarily debited while recording over-commitment.
Consider adding a mapping to
StrategyManagerthat keeps track of over-commitment for each staker and take that into consideration while slashing inStrategyManager::slashShares.Assessed type
Other
The text was updated successfully, but these errors were encountered: