Voucher can avoid slashing penalties by front-running with `unvouch()`

Summary

The EthosVouch::slash() slashes up to 10% of all vouch balances for a given voucher. However, the voucher can front-run the slashing transaction by calling unvouch() and paying the exit fee. If the exit fee is significantly lower than the penalties, the voucher can minimize or avoid most of the losses.

Root Cause

The current implementation of slash() does not account for the possibility of a voucher executing an unvouch() transaction immediately before the slashing is finalized.

Internal pre-conditions

The slash() function is called to penalize a voucher.
The voucher has sufficient time to detect the slashing transaction and front-run it by calling unvouch().

External pre-conditions

No response

Attack Path

No response

Impact

Allowing malicious vouchers to avoid penalties.

PoC

No response

Mitigation

One possible option could be implementing an unvouch queue, unvouch requests can still be slashed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

004.md

004.md

Voucher can avoid slashing penalties by front-running with `unvouch()`

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

004.md

Latest commit

History

004.md

File metadata and controls

Voucher can avoid slashing penalties by front-running with unvouch()

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Voucher can avoid slashing penalties by front-running with `unvouch()`