Karak Restaking - Mitigation Review
The universal restaking layer powered by the entire cryptoeconomy across every asset and every chain.
- Start date10 Sep 2024
- End date16 Sep 2024
- Total awards$7,500 in USDC
- Duration6 days
- Details
Karak Restaking Mitigation Review
- Total Prize Pool: $7,500 in USDC
- HM awards: $6,000 in USDC
- Judge awards: $1,500 in USDC
- Warden guidelines for C4 mitigation reviews
- Starts September 10, 2024 20:00 UTC
- Ends September 16, 2024 20:00 UTC
Important note
Each warden must submit a mitigation review for every individual PR listed in the Scope section below. Incomplete mitigation reviews will not be eligible for awards.
Findings being mitigated
Mitigations of all High and Medium issues (+ Additional Issues to be mitigated) will be considered in-scope and listed here.
- H-01: Slashing NativeVault will lead to locked ETH for the users
- H-02: The operator can create a NativeVault that can be silently unslashable.
- H-03: A DoS on snapshots due to a rounding error in calculations.
- H-04: Violation of Invariant Allowing DSSs to Slash Unregistered Operators
- M-02: A snapshot may face a permanent DoS if both a slashing event occurs in the NativeVault and the staker's validator is penalized.
- M-03: When malicious behavior occurs and DSS requests slashing against vault during 2 day period after SLASHING_WINDOW of 7 days is passed after staker initiates a withdrawal, token amount to be slashed is calculated to be higher than what it should be
- M-04: Delayed Slashing Window and Lack of Transparency for Pending Slashes Could Lead to Loss of Funds
- M-05: Slashing’s will Always Fail In Some Cases
Additional issues to be mitigated:
- [ADD-01]: packages/contracts/src/NativeVault.sol L446
+ node.withdrawableCreditedNodeETH -= slashedWithdrawable; - [ADD-02]: packages/contracts/src/entities/NativeVaultLib.sol L177-L178
validatorDetails.lastBalanceUpdateTimestamp =
node.currentSnapshotTimestamp == 0 ? node.lastSnapshotTimestamp : node.currentSnapshotTimestamp;
Overview of changes
Karak Restaking is a protocol that allows users to restake their assets by directly depositing them into the vaults of operators. Operators can then register with Distributed Secure Services (DSS) to provide economic security. Operators perform tasks for the DSS in exchange for rewards, and the DSS has the ability to slash the funds that operators have delegated.
Scope
Branch
https://github.com/karak-network/karak-restaking/tree/v2
Mitigation of High & Medium Severity Issues
Additional scope to be reviewed
These are additional changes that will be in scope.