Platform: Code4rena
Start Date: 22/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 133
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 165
League: ETH
Rank: 90/133
Findings: 1
Award: $28.01
π Selected for report: 0
π Solo Findings: 0
π Selected for report: rotcivegaf
Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, B2, Bahurum, Bnke0x0, Ch_301, CodingNameKiki, Deivitto, Diana, Funen, IllIllI, JC, JLevick, KIntern_NA, Lambda, OptimismSec, PaludoX0, RockingMiles, Rolezn, Sm4rty, Soosh, Tagir2003, Tointer, TomJ, Triangle, Trust, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, asutorufos, ayeslick, aysha, bbuddha, bharg4v, bobirichman, brgltd, bytera, c3phas, cryptostellar5, cryptphi, csanuragjain, datapunk, delfin454000, durianSausage, exd0tpy, gogo, got_targ, jag, joestakey, karanctf, ladboy233, leosathya, lukris02, mics, millersplanet, natzuu, neko_nyaa, obront, oyc_109, parashar, peritoflores, rbserver, ret2basic, rokinot, ronnyx2017, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, tnevler, yasir, yongskiws
28.0141 USDC - $28.01
Withdrawals have changed from BLS public keys to Eth1 addresses. Unless the withdrawal credential is set to an Eth1 address, validators will NOT be able to withdraw from the beacon chain. They need to somehow coordinate a switch from BLS pubkeys to Eth1 addresses which will be a headache and actually gives validators full ability to withdraw funds to whatever addresses they want. This even violates trust assumptions if Frax extends their validator set to include esteemed staking service providers like StakeFish, Figment, or others.
To solve this, Frax must setup a withdrawal stub contract which will receive withdrawn Ether from the beacon chain, then the OperatorRegistry must simply be changed to account for the newly formatted for the Eth1 withdrawal credential:
bytes withdrawal_credential; address public timelock_address; constructor(address _owner, address _timelock_address, address _withdrawal_contract) Owned(_owner) { timelock_address = _timelock_address; withdrawal_credential= abi.encodePacked(byte(0x01), bytes11(0x0), _withdrawal_contract); }
Just need to make sure that all withdrawal contracts are maintained and kept ready for future consensus upgrades.
Super happy to see more liquid staking solutions popping up! Liquid staking is here to stay, and the more options ETH holders have, the better it is for the network :)
#0 - FortisFortuna
2022-09-27T00:44:06Z
I don't think we will be using other validator services anytime soon, and if we do, we can always replace out this contract with updated code. Right now, we plan on just rolling our own.
#1 - 0xean
2022-10-13T23:44:56Z
Downgrading to QA