Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-LIVEPEER-FINDINGS-ISSUES-180
HistorySep 06, 2023 - 12:00 a.m.

.The _newPosPrev/_newPosNext hints do not fully prevent invalid ordering when decreasing a delegate's stake.

2023-09-0600:00:00
Code4rena
github.com
6
decreasetotalstake
invalid ordering
transcoders
pool order
mitigation steps
stake
contract
validation
JSON

Lines of code
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1367&gt;

Vulnerability details

Impact

The contract could incorrectly deactivate or reward transcoders based on the invalid pool order.

Proof of Concept

When decreasing a delegate’s stake with decreaseTotalStake(), the contract calls transcoderPool.updateKey() to update the delegate’s position in the pool. However, passing the _newPosPrev/_newPosNext hints does not guarantee correct ordering after the update.
Here is how an invalid order could occur:

  1. Transcoder A has 1000 LPT stake, Transcoder B has 500 LPT stake
  2. The pool order is: [A, B]
  3. B’s stake decreases to 400 LPT
  4. We pass A as the _newPosPrev hint when updating B’s stake
  5. This positions B before A in the pool even though A has higher stake
  6. Resulting invalid order: [B, A]

Tools Used

Manual

Recommended Mitigation Steps

Proper mitigations include doing a full sort after updates or maintaining a separate sorted list for validation.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON