You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When an operator/nominator deregisters or withdraws stake, the stake is only able to unlock after StakeWithdrawalLockingPeriod number of domain blocks:
But because we are using the confirmed domain block number to calculate the unlocked block number, in the first challenge period of a new instantiated domain, the latest_confirmed_domain_block_number is always zero since only the genesis receipt is confirmed, as a result, anyone deregister/withdraw in the first challenge period will be able to unlock at the same block 0 + StakeWithdrawalLockingPeriod, no matter it is deregistered/withdraw at the first block or the last of the challenge period. So the attacker may able to submit a bad ER and deregister in the last block of the challenge period and unlock its fund in the next block before it is slashed by fraud proof.
To fix it we should use the head domain number to calculate the unlocked block number: HeadDomainNumber + StakeWithdrawalLockingPeriod
When an operator/nominator deregisters or withdraws stake, the stake is only able to unlock after
StakeWithdrawalLockingPeriod
number of domain blocks:subspace/crates/pallet-domains/src/staking.rs
Lines 872 to 876 in a62bea9
But because we are using the confirmed domain block number to calculate the unlocked block number, in the first challenge period of a new instantiated domain, the
latest_confirmed_domain_block_number
is always zero since only the genesis receipt is confirmed, as a result, anyone deregister/withdraw in the first challenge period will be able to unlock at the same block0 + StakeWithdrawalLockingPeriod
, no matter it is deregistered/withdraw at the first block or the last of the challenge period. So the attacker may able to submit a bad ER and deregister in the last block of the challenge period and unlock its fund in the next block before it is slashed by fraud proof.To fix it we should use the head domain number to calculate the unlocked block number:
HeadDomainNumber + StakeWithdrawalLockingPeriod
cc @vedhavyas @dariolina
The text was updated successfully, but these errors were encountered: