Odd Orchid Capybara
High
A missing check for pending slash operations will cause a potential loss of slashed funds for the protocol as the voucher actor will front-run the slash operation by calling the https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L452 function.
In EthosVouch.sol function does not check for pending slash operations, allowing the voucher actor to front-run the slash operation.
- Voucher actor needs to call
unvouch
to setarchived
totrue
- Slasher needs to call [slash] to set [balance] to be reduced by the slash percentage.
None
- Voucher actor calls via front-run [unvouch] to withdraw the staked amount.
- Slasher calls [slash] to reduce the balance, but the vouch is already archived.
The protocol suffers a potential loss of slashed funds. The attacker gains the full staked amount without any reduction due to slashing. Additionally, this can lead to a loss of trust in the protocol's slashing mechanism, as malicious actors can avoid penalties by front-running the slash operation.
// Pseudo-code for attack steps
// Step 1: Voucher actor calls unvouch to withdraw the staked amount
function attackStep1() {
// Assume vouchId is known
uint256 vouchId = 1;
EthosVouch.unvouch(vouchId);
}
// Step 2: Slasher calls slash to reduce the balance, but the vouch is already archived
function attackStep2() {
// Assume authorProfileId and slashBasisPoints are known
uint256 authorProfileId = 1;
uint256 slashBasisPoints = 100; // 1%
EthosVouch.slash(authorProfileId, slashBasisPoints);
}
// Execute the attack
function executeAttack() {
attackStep1(); // Voucher actor front-runs the slash operation
attackStep2(); // Slasher attempts to slash, but the vouch is already archived
}
-
Add a Pending Slash Check: Introduce a mechanism to check for pending slash operations before allowing the unvouch function to proceed. This can be done by maintaining a mapping of pending slashes and checking it within the unvouch function.
-
Delay Unvouching: Implement a delay mechanism where unvouching can only be performed after a certain period, allowing enough time for any pending slash operations to be executed.