Skip to content

Latest commit

 

History

History
66 lines (43 loc) · 2.5 KB

054.md

File metadata and controls

66 lines (43 loc) · 2.5 KB

Brilliant Umber Eagle

High

Malicious fp can get more commission fee

Summary

Malicious fp can get more commission fee by modifying the commission parameter

Root Cause

It firstly update the dc during finality/keeper.go#BeginBlocker including fp.commission parameter, accumulate the previous block rewards inside incentive/abci.go#BeginBlocker then distribute the rewards during incentive module finality/abci.go#EndBlocker finally calling the RewardBTCStaking function:

func (k Keeper) RewardBTCStaking(ctx context.Context, height uint64, dc *ftypes.VotingPowerDistCache, voters map[string]struct{}) {
    for i, fp := range dc.FinalityProviders {
		if i >= int(dc.NumActiveFps) {
			break
		}

		if _, ok := voters[fp.BtcPk.MarshalHex()]; !ok {
			continue
		}

		// calculate the portion of a finality provider's voting power out of the total voting power of the voters
		fpPortion := sdkmath.LegacyNewDec(int64(fp.TotalBondedSat)).
			QuoTruncate(sdkmath.LegacyNewDec(int64(totalVotingPowerOfVoters)))
		coinsForFpsAndDels := gauge.GetCoinsPortion(fpPortion)

		// reward the finality provider with commission
		// @audit - get the commission fee based on the coins and commission.
		coinsForCommission := types.GetCoinsPortion(coinsForFpsAndDels, *fp.Commission)
		k.accumulateRewardGauge(ctx, types.FinalityProviderType, fp.GetAddress(), coinsForCommission)

		// reward the rest of coins to each BTC delegation proportional to its voting power portion
		coinsForBTCDels := coinsForFpsAndDels.Sub(coinsForCommission...)
		if err := k.AddFinalityProviderRewardsForBtcDelegations(ctx, fp.GetAddress(), coinsForBTCDels); err != nil {
			panic(fmt.Errorf("failed to add fp rewards for btc delegation %s at height %d: %w", fp.GetAddress().String(), height, err))
		}
	}
}

The fp will get the commission fee based on the commission parameter, but it can be edited through EditFinalityProvider function at any time, so any malicious fp can works as normal at block N-1 but update the fp.commission before/during finality/keeper.go#BeginBlocker to gain more commission fee such that its delegators would lose some rewards.

Internal Pre-conditions

None.

External Pre-conditions

None.

Attack Path

Impact

Malicious fp can get more commission fee by modifying the commission parameter.

PoC

Mitigation

Consider the commission parameter only changeable after rewards are distributed.