Code4renaCODE423N4:2023-02-GOGOPOOL-MITIGATION-CONTEST-FINDINGS-ISSUES-61Slashed amount may not be cover the staker reward payout
Vulnerability details
Impact
Slashed amount may not be cover the staker reward payout
Proof of Concept
In the current fix, <https://github.com/multisig-labs/gogopool/pull/41>
If the staked balance cannot cover the slashed amount, seize the staked balance.
Staking staking = Staking(getContractAddress("Staking"));
if (staking.getGGPStake(owner) < slashGGPAmt) {
slashGGPAmt = staking.getGGPStake(owner);
}
setUint(keccak256(abi.encodePacked("minipool.item", index, ".ggpSlashAmt")), slashGGPAmt);
The purpose of slashing the staked balance of the pool creator is to make sure that when the validators has error, the staker can still get the reward, however, if the node operator (pool creator) has no staked balance to slash, there can be little fund to payout the stakerโs reward even after slashing.
If the cost of running the node is larger than the reward + the slashed amount, there can be no incentive for the pool creator to operate the node, the node operator knows he at most lose the slashed amount.
For example, the expected slashed amount is 1000 amount of GGP, yet there is only 100 GGP token left in the stakerโs balance, then 100 GGP is slashed and the staker avoid being slashed by 1000 amount of GGP.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend the protocol begin slash the staked AVAX if the staked GGP token amount cannot cover the slashed amount.
The text was updated successfully, but these errors were encountered:
All reactions