Slow Misty Iguana
Medium
ResumeFinalityProposal can be Dos
If the fp that requires jail has already voted, the ResumeFinalityProposal function will fail to execute.
The malicious fp votes before the ResumeFinalityProposal function is executed.
chain delay
If the fp in the jail list has been voted, the HandleResumeFinalityProposal function will return failure, and the recovery block Proposal will fail to execute:
func (k Keeper) HandleResumeFinalityProposal(ctx sdk.Context, fpPksHex []string, haltingHeight uint32) error {
......
for _, fpPkHex := range fpPksHex {
fpPk, err := bbntypes.NewBIP340PubKeyFromHex(fpPkHex)
if err != nil {
return fmt.Errorf("invalid finality provider public key %s: %w", fpPkHex, err)
}
fpPks = append(fpPks, fpPk)
voters := k.GetVoters(ctx, uint64(haltingHeight))
_, voted := voters[fpPkHex]
-> if voted {
// all the given finality providers should not have voted for the halting height
-> return fmt.Errorf("the finality provider %s has voted for height %d", fpPkHex, haltingHeight)
}
......
}ResumeFinalityProposal -> HandleResumeFinalityProposal
https://github.com/sherlock-audit/2024-12-babylon/blob/main/babylon/x/finality/keeper/gov.go#L37-L42
A malicious fp (or the fp just doesn't want to be jailed) will vote before the ResumeFinalityProposal is executed.
The transaction of the fp vote can be in the same block as the transaction of the Proposal, or it can be a transaction before the Proposal.
Since the ResumeFinalityProposal requires the signature of gov, fp can query the Proposal transaction in advance.
Assuming that the Proposal takes one day from publication to execution, the attack will make the block recover for two days or more.
If fp has already voted, remove fp from the jail list.