Audit cyfrin

[gonzaloetjo]

Linked issues

Solved

• Fix C01 (Middleware) - Dust limit attack on forceUpdateNodes allows DoS of rebalancing and potential vault insolvency #163
• Fix C-02 (Middleware): Future epoch cache manipulation via calcAndCacheStakes allows reward manipulation #164
• Fix H-01 (VaultFactory): Blacklisted vault implementation versions are accessible through migrations #160
• Fix H02 (DelegatorFactory) - New entity can be created for a blacklisted implementation #161
• Fix H06 (Rewards) - Incorrect Summation of Curator Shares in claimUndistributedRewards Leads to Deficit in Claimed Undistributed Rewards (Now H03) #171
• Fix H04 (Rewards) - Incorrect reward claim logic causes loss of access to intermediate epoch rewards #154
• Fix H07 (Rewards - Middleware) - Timestamp boundary condition causes reward dilution for active operators (Now H05) #172
• Fix H03 (Middleware) - Immediate stake cache updates enable reward distribution without P-Chain confirmation (Now H06) #165
• Fix H07 (Rewards) - Vault rewards incorrectly scaled by cross-asset-class operator totals instead of asset class specific shares causing rewards leakage #197
• Fix H09 (Rewards) - Not All Reward Token's Rewards Are Claimable (Now H08) #174
• Fix H10 (Rewards) - Division by zero in rewards distribution can cause permanent lock of epoch rewards (Now H09) #175
• Fix M-01 (VaultTokenized): Vault initialization allows deposit whitelist with no management capability #158
• Fix M02 (VaultTokenized) - Vault initialization allows zero deposit limit with no ability to modify causing denial of service #159
• Fix M07 (VaultTokenized) - Potential underflow in slashing logic (Now M03) #170
• Fix M03 (Checkpoints) - Wrong value is returned in upperLookupRecentCheckpoint (Now M04) #162
• Fix M04 (Middleware) - Inconsistent Stake Calculation Due to Mutable vaultManager Reference in AvalancheL1Middleware (Now M05) #167
• Fix M05 (Middleware) - Insufficient validation in AvalancheL1Middleware::removeOperator can create permanent validator lockup (Now M08) #168
• Fix H04 (Middleware) - Operator stake misattributed due to reused nodeId due to historical lookup flaw (Now M09) #166
• Fix M06 (Middleware) - Incorrect Inclusion of Removed Nodes in _requireMinSecondaryAssetClasses During forceUpdateNodes (Now M10) #169
• Fix H08 (Rewards) - Rewards system DOS due to unchecked asset class share and fee allocations (Now M11) #173
• Fix M08 (Rewards) - Operators Can Lose Their Reward Share (Now M12) #177
• Fix M09 (Middleware) - Inaccurate Stake Calculation Due to Decimal Mismatch Across Multi-Token Asset Classes (Now M14) #178
• Fix M10 (Rewards) - Accumulative Reward Setting to Prevent Overwrite and Support Incremental Updates (Now M15) #179
• Fix M11 (Rewards) - Rewards distribution DoS due to uncached secondary asset classes (Now M16) #180
• Fix M12 (Uptime) - Uptime loss due to integer division in UptimeTracker::computeValidatorUptime can make validator lose entire rewards for an epoch (Now M17) #181

On-going:

• L01 (vaultTokenized) - Missing zero-address validation for burner address during initialization can break slashing #183
• L03 (vaultTokenized) - Vault limit cannot be modified if vault Is already enabled #184
• L02 (BaseDelegator) - BaseDelegator is not using upgradeable version of ERC165 #185
• L04 (MiddlewareVaultManager) - Incorrect vault status determination in MiddlewareVaultManager #186
• L05 (Middleware) - Missing validation for zero epochDuration in AvalancheL1Middleware can break epoch based ac- counting #187
• L06 (Middleware) - Insufficient update window validation can cause denial of service in forceUpdateNodes #188
• L07 (Rewards) Premature zeroing of epoch rewards in claimUndistributedRewards can block legitimate claims #189
• L08 (BaseDelegator) - Hardcoded gas limit for hook in onSlash may cause reverts #190
• L09 (Middleware) - NodeId truncation can potentially cause validator registration denial of service #191
• L10 (Middleware) - Unbounded weight scale factor causes precision loss in stake conversion, potentially leading to loss of operator funds #192
• L11 (Middleware) - remainingBalanceOwner should be set by the protocol owner #193
• L12 (Middleware) - forceUpdateNodes potentially enables mass validator removal when new asset classes are added #194
• L13 (L1Registry) - Overpayment vulnerability in registerL1 #195

Aknowledged

• H11 (Uptime) - Inaccurate Uptime Distribution in computeValidatorUptime Function Leads to Reward Discrepancies (Now H10) #176

Changes

Modified tests o work correctly (some may be missing in this list):

• H09
• H10
• M09

[leopaul36]

This should probably be a revert

[leopaul36]

Comment is not super acurate. Could be "Complete weight update upon P-Chain confirmation"

[leopaul36]

DebugSecondaryAssetClassCheck event should be removed

[leopaul36]

DebugSecondaryAssetClassCheck event should be removed

[octane-security-app]

Summary by Octane

New Contracts

• MockERC20WithDecimals.sol: The contract is an ERC20 token implementation with customizable decimals and an initial supply minted to the deployer.

Updated Contracts

• DelegatorFactory.sol: Added blacklist check to prevent creation of certain delegator types.
• VaultFactory.sol: Implemented a blacklist check to prevent upgrades to specific versions.
• Checkpoints.sol: Replaced self._values[checkpoint._value] with checkpoint._value in return values for efficiency.
• AvalancheL1Middleware.sol: The smart contract now includes stricter operator validation, improved stake management with epoch delays, and enhanced handling of node updates and removals.
• MiddlewareVaultManager.sol: Removed address storage in the vaults and adjusted time comparison logic for determining vault activity.
• Rewards.sol: The contract now supports concurrent fee updates, epoch status tracking, asset class-specific share calculation, prevents reentrancy, and includes epoch funding/distribution constraints.
• UptimeTracker.sol: The smart contract now fairly distributes leftover uptime seconds across epochs, skipping processed epochs.
• VaultTokenized.sol: The updated smart contract introduces role consistency checks, deposit limit controls, overflow checks, and redistributes slashed stakes with new events.
• IDelegatorFactory.sol: Added error for blacklisted versions to enhance validation in the smart contract.
• IAvalancheL1Middleware.sol: The smart contract was modified to add new error messages, increase validation checks, and introduce a new event for debugging asset class checks.
• IRewards.sol: Added new error handling for rewards claiming and distribution, including scenarios where epochs are unfunded, already distributed, or exceed share limits, along with a new event for zero rewards claim attempts.
• IVaultTokenized.sol: The smart contract now includes a slash event with collateral redistribution details.
• MockAvalancheL1Middleware.sol: The smart contract adds operator management, including enable/disable functions and removal delay, as well as dynamic asset class handling.

---

🔗 Commit Hash: 6c37d1c

[octane-security-app]

Overview

Vulnerabilities found:	1
Severity breakdown:	1 Medium

Detailed findings

src/contracts/middleware/AvalancheL1Middleware.sol

• Unrestricted Access to calcAndCacheStakes() Cache Values. See more

---

🔗 Commit Hash: 6c37d1c
🛡️ Octane Dashboard: All vulnerabilities

[leopaul36]

Maybe redundant with L86-87

[leopaul36]

Why did all *claim functions became nonReentrant?