Platform: Code4rena
Start Date: 15/12/2022
Pot Size: $128,000 USDC
Total HM: 28
Participants: 111
Period: 19 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 194
League: ETH
Rank: 69/111
Findings: 3
Award: $78.73
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xdeadbeef0x
Also found by: 0Kage, 0xc0ffEE, 0xmint, AkshaySrivastav, Allarious, Ch_301, Franfran, HollaDieWaldfee, IllIllI, Jeiwan, Lirios, Manboy, adriro, ak1, bin2chen, caventa, chaduke, clems4ever, cozzetti, datapunk, imare, immeas, kaliberpoziomka8552, ladboy233, pauliax, peritoflores, rvierdiiev, sces60107, sk8erboy, stealthyz, unforgiven, wagmi, wallstreetvilkas, yixxas
9.9345 USDC - $9.93
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L196 https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L242 https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L259 https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L484 https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/ClaimNodeOp.sol#L51
The method createMinipool allows for relaunching an existing pool, but it does not check that the relaunch is being triggered by the pool's owner. Instead, it just resets the pool, increases the pool count for the msg.sender, and on line 259 sets the new owner to be the msg.sender. There needs to be some owner validation for the case of an existing pool, because this should not be possible, and actually results in bad accounting (keep reading).
The pool needs to be in a state that allows transitioning into the Prelaunched state, otherwise this call will fail. This includes the Error state. However, the transition of a pool to Error state also does not decrement number of user minipools (https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L484). The method will remove the avax, but it will not decrement the number of pools. From the Error state, the pool can be re-launched by a different owner. Both the original and new owner will have non-zero minipool count in the staking, and the original owner will have this count forever, because they will not have a pool to cancel any more. This can be problematic as the original owner seemingly always have some pools, and their staking time would never reset to 0 in the calculateAndDistributeRewards() methods in ClaimNodeOp.sol#82 would be always true. This would also result in the staker ALWAYS being eligible for rewards as ClaimNodeOp.isEligible() would always have non-zero value. This can result in wrong distribution of rewards.
Sequence of actions described above. 1. Alice creates a minipool. 2. Rialto changes the pool's state to Error. 3. Mallory re-creates Alice's minipool. Alice now does not own the pool, but Mallory does, and both have number of minipools set to 1 in Staking.
Manual analysis.
Add validation of an owner to when the existing pool is re-created. Furthermore, ensure integrity in the book keeping of the number of pools, because it can currently be violated (even if the owner is validated).
#0 - 0xminty
2023-01-03T23:54:31Z
dupe of #805
#1 - c4-judge
2023-01-09T12:37:05Z
GalloDaSballo marked the issue as duplicate of #213
#2 - c4-judge
2023-02-03T12:33:00Z
GalloDaSballo changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-02-03T19:26:10Z
GalloDaSballo changed the severity to 3 (High Risk)
#4 - c4-judge
2023-02-08T08:26:45Z
GalloDaSballo changed the severity to 2 (Med Risk)
#5 - c4-judge
2023-02-08T08:50:11Z
GalloDaSballo changed the severity to 3 (High Risk)
#6 - c4-judge
2023-02-08T20:25:18Z
GalloDaSballo marked the issue as satisfactory
#7 - c4-judge
2023-02-09T08:53:06Z
GalloDaSballo changed the severity to QA (Quality Assurance)
#8 - Simon-Busch
2023-02-09T12:47:36Z
Changed severity back from QA to H as requested by @GalloDaSballo
🌟 Selected for report: imare
Also found by: 0Kage, 0xbepresent, AkshaySrivastav, Faith, HollaDieWaldfee, Jeiwan, Saintcode_, betweenETHlines, btk, dic0de, enckrish, gz627, imare, jadezti, kaliberpoziomka8552, nogo, simon135, sk8erboy
34.7487 USDC - $34.75
Method requireNextActiveMultisig() always returns the first active multisig, not the next active one. If there is any intention of cycling multisigs (as the naming or engineering of the code suggests), this is a bug. The same multisig would be by default used for all pools.
None needed
None needed
Re move the bug. Keep a counter of the latest multisig used, and loop from there mod count of the multisigs.
#0 - c4-judge
2023-01-08T13:26:16Z
GalloDaSballo marked the issue as duplicate of #702
#1 - c4-judge
2023-02-08T19:58:12Z
GalloDaSballo marked the issue as satisfactory
🌟 Selected for report: HollaDieWaldfee
Also found by: Allarious, Aymen0909, Saintcode_, SmartSek, adriro, bin2chen, cccz, kaliberpoziomka8552, minhtrng, rvierdiiev, sces60107, sk8erboy, wagmi
34.0473 USDC - $34.05
The transition of a pool to Error state also does not decrement number of user minipools (https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L484). As a result, a the book keeping of the minipool numbers can be wrong, becuase users can relaunch pools by calling the createMinipool() method which will blindly increment the number of their pools. Also, all the other methods for finishing pools decrement the number of the staker in the staking contract, but this one does not.
None needed.
Manual analysis.
Decrese the number of user minipools in staking when bringing the pool into the errored state.
#0 - 0xju1ie
2023-01-12T18:32:28Z
duplicate of #590
#1 - c4-judge
2023-01-31T15:15:01Z
GalloDaSballo marked the issue as duplicate of #235
#2 - GalloDaSballo
2023-01-31T15:16:10Z
I believe the finding should have been further developed, but the summary does hit both aspects of the vulnerability
For this reason am awarding 50%
I recommend the Warden to always add a Coded POC to demonstrate the attacks fully
#3 - c4-judge
2023-01-31T15:16:16Z
GalloDaSballo marked the issue as partial-50
#4 - c4-judge
2023-02-08T19:43:07Z
GalloDaSballo changed the severity to 2 (Med Risk)