Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STRATEGYMANAGER.SOL CONTRACT OWNER COULD BE DEPRIVED OF A SLASH #432

Open
code423n4 opened this issue May 4, 2023 · 11 comments
Open

STRATEGYMANAGER.SOL CONTRACT OWNER COULD BE DEPRIVED OF A SLASH #432

code423n4 opened this issue May 4, 2023 · 11 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b judge review requested Judge should review this issue primary issue Highest quality submission among a set of duplicates Q-03 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L189-L194
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L821-L836
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L501

Vulnerability details

Impact

Both slashShares() and recordOvercommittedBeaconChainETH() could possibly interfere each other such that the former could be deprived of sending ETH to the recipient.

Proof of Concept

A validator who has been slashed by the contract owner of StrategyManager.sol will incur a debt when he/she eventually over commits:

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L189-L194

        // if the amount exceeds the user's shares, then record it as an amount to be "paid off" when the user completes a withdrawal
        if (amount > userShares) {
            uint256 debt = amount - userShares;
            beaconChainETHSharesToDecrementOnWithdrawal[overcommittedPodOwner] += debt;
            amount -= debt;
        }

When the validator is slashed again in the Eigen Layer, calling slashShares() could likely sending less or no ETH the recipient. According to the code logic below, if amount > amountToDecrement, the staker's debt will be cleared with less ETH sent to the recipient at the end. If amount <= amountToDecrement, the function call ends prematurely with nothing sent to the recipient.

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L821-L836

    function _withdrawBeaconChainETH(address staker, address recipient, uint256 amount) internal {
        uint256 amountToDecrement = beaconChainETHSharesToDecrementOnWithdrawal[staker];
        if (amountToDecrement != 0) {
            if (amount > amountToDecrement) {
                beaconChainETHSharesToDecrementOnWithdrawal[staker] = 0;
                // decrease `amount` appropriately, so less is sent at the end
                amount -= amountToDecrement;
            } else {
                beaconChainETHSharesToDecrementOnWithdrawal[staker] = (amountToDecrement - amount);
                // rather than setting `amount` to 0, just return early
                return;
            }
        }
        // withdraw the beaconChainETH to the recipient
        eigenPodManager.withdrawRestakedBeaconChainETH(staker, recipient, amount);
    }

The problem is that shares have been removed in slashShares(). Although the contract owner could still make up for the loss by slashing the staker again but I don't think this is the intended design. Moreover, doing this will severely tarnish the reputation of the protocol.

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L501

            if (_removeShares(slashedAddress, strategyIndexes[strategyIndexIndex], strategies[i], shareAmounts[i])) {

Recommended Mitigation Steps

It is recommended allowing the sending of ETH to the recipient directly in slashShares() by skipping _withdrawBeaconChainETH().

Assessed type

DoS
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels May 4, 2023
code423n4 added a commit that referenced this issue May 4, 2023
@code423n4
Josiah issue #432
fdfafad
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label May 9, 2023
@c4-sponsor c4-sponsor added the judge review requested Judge should review this issue label May 12, 2023
@c4-sponsor
Copy link

Sidu28 requested judge review

@c4-sponsor
Copy link

Sidu28 marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label May 12, 2023
@Sidu28
Copy link

Sidu28 commented May 12, 2023
edited
Loading

We believe this is a duplicate of issue 259, as it appears to have the same root cause.

(Note to C4 admins: The disagree with severity tag and the sponsor disputed tag are accidental, please remove if possible)
@0xSorryNotSorry

@c4-sponsor
Copy link

Sidu28 marked the issue as sponsor disputed

@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label May 12, 2023
@c4-judge c4-judge closed this as completed Jun 1, 2023
@c4-judge c4-judge removed the primary issue Highest quality submission among a set of duplicates label Jun 1, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Jun 1, 2023

GalloDaSballo marked the issue as duplicate of #432

@c4-judge
Copy link
Contributor

c4-judge commented Jun 1, 2023

GalloDaSballo marked the issue as not a duplicate

@c4-judge c4-judge reopened this Jun 1, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Jun 1, 2023

GalloDaSballo marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Jun 1, 2023
@GalloDaSballo
Copy link

Per the sponsors comment on #259

A slashed validator would be forced to repay the debt and withdraw

Meaning that the accounting error wouldn't happen in reality

That said, the onChain logic does provide a path in which this finding is valid, for this reason am downgrading to QA - Low Severity +3
L + 3

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jun 1, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Jun 1, 2023

GalloDaSballo changed the severity to QA (Quality Assurance)

@GalloDaSballo GalloDaSballo mentioned this issue Jun 1, 2023
Open
@c4-judge
Copy link
Contributor

c4-judge commented Jun 8, 2023

GalloDaSballo marked the issue as grade-b

@C4-Staff C4-Staff added the Q-03 label Jun 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b judge review requested Judge should review this issue primary issue Highest quality submission among a set of duplicates Q-03 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@GalloDaSballo @Sidu28 @code423n4 @c4-judge @c4-sponsor @c4-pre-sort @C4-Staff