Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TRST audit fixes for HorizonStaking contract #1073

Open
wants to merge 21 commits into
base: horizon
Choose a base branch
from
Open

TRST audit fixes for HorizonStaking contract #1073

wants to merge 21 commits into from

Conversation

Maikol
Copy link
Member

@Maikol Maikol commented Nov 28, 2024
edited by tmigone
Loading

This PR fixes the following issues:

  • TRST-H-2 Core thawing logic of Horizon staking can be broken due to collision in data structures
  • TRST-H-3 An attacker could prevent a delegator from ever withdrawing their tokens
  • TRST-H-4 The last withdrawal from a provision or delegation could permanently revert due to accounting flaw in slashing
  • TRST-H-6 During the transition period, legacy allocations cannot be slashed
  • TRST-H-7 Delegators that began undelegation before the transition would not be able to withdraw them
  • TRST-M-3 An attacker could make the minimum delegation amount arbitrarily large and prevent competing delegations
  • TRST-M-11 After the transition period, locked amount would still not be available for use
  • TRST-M-12 The operator check in closeAllocations() will not work, indexers must close by themselves
  • TRST-L-3 The getThawedTokens() function could return a wrong amount leading to integration risks
  • TRST-R-1 Improve event structure
  • TRST-R-7 Thawing shares should be rounded up to protect from early unlocking of tokens
  • TRST-R-9 Documentation errors

@openzeppelin-code OpenZeppelin Code
Copy link

openzeppelin-code bot commented Nov 28, 2024
edited
Loading

TRST audit fixes for HorizonStaking contract

Generated at commit: f6ce0166ef1fc09d6be3835424ba6e258c6fc894

🚨 Report Summary

Severity Level Results
Contracts Critical
High
Medium
Low
Note
Total		 2
4
0
15
39
60
Dependencies Critical
High
Medium
Low
Note
Total		 0
0
0
0
0
0

For more details view the full report in OpenZeppelin Code Inspector

@Maikol Maikol force-pushed the mde/trust-staking-fixes branch from 9e05f2f to edb248c Compare November 28, 2024 16:29
@Maikol Maikol force-pushed the mde/trust-staking-fixes branch from edb248c to ce749be Compare November 28, 2024 18:26
@Maikol Maikol marked this pull request as ready for review November 29, 2024 19:49
@Maikol Maikol changed the title fix: separate delegation and provision thaw request lists (TRST-H02) TRST audit fixes for HorizonStaking contract Dec 2, 2024
tmigone
tmigone approved these changes Dec 4, 2024
View reviewed changes
Copy link
Contributor

@tmigone tmigone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions!

packages/horizon/contracts/interfaces/internal/IHorizonStakingTypes.sol Show resolved Hide resolved
packages/horizon/contracts/staking/HorizonStakingStorage.sol Show resolved Hide resolved
packages/horizon/contracts/staking/HorizonStaking.sol Outdated Show resolved Hide resolved
packages/horizon/contracts/staking/HorizonStaking.sol Outdated Show resolved Hide resolved
packages/horizon/contracts/staking/HorizonStaking.sol Outdated Show resolved Hide resolved
@Maikol Maikol requested review from pcarranzav and tmigone December 6, 2024 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcarranzav pcarranzav Awaiting requested review from pcarranzav

@tmigone tmigone Awaiting requested review from tmigone

Assignees
No one assigned
Labels
audit-fix horizon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Maikol @pcarranzav @tmigone