Skip to content

Latest commit

 

History

History
67 lines (44 loc) · 2.43 KB

File metadata and controls

67 lines (44 loc) · 2.43 KB

Odd Orchid Capybara

High

Voucher actor will front-run slash operation by voucher actor

Summary

A missing check for pending slash operations will cause a potential loss of slashed funds for the protocol as the voucher actor will front-run the slash operation by calling the https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L452 function.

Root Cause

In EthosVouch.sol function does not check for pending slash operations, allowing the voucher actor to front-run the slash operation.

Internal pre-conditions

  1. Voucher actor needs to call unvouch to set archived to true
  2. Slasher needs to call [slash] to set [balance] to be reduced by the slash percentage.

External pre-conditions

None

Attack Path

  1. Voucher actor calls via front-run [unvouch] to withdraw the staked amount.
  2. Slasher calls [slash] to reduce the balance, but the vouch is already archived.

Impact

The protocol suffers a potential loss of slashed funds. The attacker gains the full staked amount without any reduction due to slashing. Additionally, this can lead to a loss of trust in the protocol's slashing mechanism, as malicious actors can avoid penalties by front-running the slash operation.

PoC

// Pseudo-code for attack steps

// Step 1: Voucher actor calls unvouch to withdraw the staked amount
function attackStep1() {
    // Assume vouchId is known
    uint256 vouchId = 1;
    EthosVouch.unvouch(vouchId);
}

// Step 2: Slasher calls slash to reduce the balance, but the vouch is already archived
function attackStep2() {
    // Assume authorProfileId and slashBasisPoints are known
    uint256 authorProfileId = 1;
    uint256 slashBasisPoints = 100; // 1%
    EthosVouch.slash(authorProfileId, slashBasisPoints);
}

// Execute the attack
function executeAttack() {
    attackStep1(); // Voucher actor front-runs the slash operation
    attackStep2(); // Slasher attempts to slash, but the vouch is already archived
}

Mitigation

  1. Add a Pending Slash Check: Introduce a mechanism to check for pending slash operations before allowing the unvouch function to proceed. This can be done by maintaining a mapping of pending slashes and checking it within the unvouch function.

  2. Delay Unvouching: Implement a delay mechanism where unvouching can only be performed after a certain period, allowing enough time for any pending slash operations to be executed.