Polygon Adapter Vulberability Post-Mortem
Incident Summary
- Issue Title: Polygon Tenderizer liveness failure after validator ownership change
- Discovery Date: 15th of march 2024
- Public Disclosure Date: 15th of march 2024
- Severity: High
- Impact: Liveness failure of affected Tenderizer leading to inability to withdraw/deposit.
- Affected Contracts/Systems: Tenderizer vaults for Polygon validators
On march 15th at 11 AM CET, BountyBlok reported that they could no longer rebase their Polygon Tenderizer vault linked to their Polygon validator. They notified that they recently changed their validator's owner address.
The issue is triggered when a Polygon validator changes its owner address, leading to the loss of ability for the Tenderizer contracts to fetch the correct ValidatorShare contract for that validator to interact with.
Leadup
Tenderize vaults use validator addresses for indentification and registration. However in Polygon this address can be changed by the validator itself.
The first version of the Polygon Adapter contract was deployed on february 1st 2024 and audited in december 2023. Despite several code checks, this potential bug wasn't take into account.
Fault
The issue is triggered when a Polygon validator changes its owner address, leading to the loss of ability for the Tenderizer contracts to fetch the correct ValidatorShare contract for that validator to interact with.
This owner address indicates who is the owner of a validator's staking NFT used by delegations.
Tenderize's Polygon vaults are identified by this owner address and didn't take into account that this address can change.
When a validator changes its owner, all the following calls to get the validator's id will revert, as they use a non-existing validator.
Impact
While only the validator itself can change ownership and thus trugger this bug, it does lead to a liveness impact of the affected smart contract
Detection
The Tenderize team first detected an anomaly in week 11 of 2024 with a particular Polygon Tenderizer reverting when it gets rebased.
On march 15th, the BountyBlok team reported the same incident with the added information that they had recently changed their validator's owner.
This lead to the identification of the issue.
Response
The team responded to the incident with following steps:
- Check how many Polygon Tenderizers are affected (1)
- Check if a potential fix can be included in the PolygonAdapter with backwards compatibility
- Test the fix against a fork of the live environment
Recovery
A new PolygonAdapter was deployed on March 15th at 15:57 CET in the following transaction https://etherscan.io/tx/0xe770099acce6757683bc246115bc0c184a706f1d7848c08d91a03e9d552e2bce.
It was then registered to the Tenderize Registry with a follow up transaction at https://etherscan.io/tx/0xe4a8f2da883861a679c6e4ff416cd2ce99bca4ecc5d075e398e5a86aef0829ca .
After the fix was deployed all vaults were rebased to propogate their immutable validatorId into storage.
Other Suggestions
Polygon::StakeManager::getValidatorId(address) SHOULD NOT revertPolygon::StakeManager::getValidatorId(address) SHOULD return 0 if no valid id was found- Validator
owner should be immutable, signer is supposed to be the hot wallet for operations.
Polygon Adapter Vulberability Post-Mortem
Incident Summary
On march 15th at 11 AM CET, BountyBlok reported that they could no longer rebase their Polygon Tenderizer vault linked to their Polygon validator. They notified that they recently changed their validator's
owneraddress.The issue is triggered when a Polygon validator changes its
owneraddress, leading to the loss of ability for the Tenderizer contracts to fetch the correctValidatorSharecontract for that validator to interact with.Leadup
Tenderize vaults use validator addresses for indentification and registration. However in Polygon this address can be changed by the validator itself.
The first version of the Polygon Adapter contract was deployed on february 1st 2024 and audited in december 2023. Despite several code checks, this potential bug wasn't take into account.
Fault
The issue is triggered when a Polygon validator changes its
owneraddress, leading to the loss of ability for the Tenderizer contracts to fetch the correctValidatorSharecontract for that validator to interact with.This
owneraddress indicates who is the owner of a validator's staking NFT used by delegations.Tenderize's Polygon vaults are identified by this
owneraddress and didn't take into account that this address can change.When a validator changes its
owner, all the following calls to get the validator's id will revert, as they use a non-existing validator.Impact
While only the validator itself can change ownership and thus trugger this bug, it does lead to a liveness impact of the affected smart contract
Detection
The Tenderize team first detected an anomaly in week 11 of 2024 with a particular Polygon Tenderizer reverting when it gets rebased.
On march 15th, the BountyBlok team reported the same incident with the added information that they had recently changed their validator's
owner.This lead to the identification of the issue.
Response
The team responded to the incident with following steps:
Recovery
A new PolygonAdapter was deployed on March 15th at 15:57 CET in the following transaction https://etherscan.io/tx/0xe770099acce6757683bc246115bc0c184a706f1d7848c08d91a03e9d552e2bce.
It was then registered to the Tenderize Registry with a follow up transaction at https://etherscan.io/tx/0xe4a8f2da883861a679c6e4ff416cd2ce99bca4ecc5d075e398e5a86aef0829ca .
After the fix was deployed all vaults were rebased to propogate their immutable
validatorIdinto storage.Other Suggestions
Polygon::StakeManager::getValidatorId(address)SHOULD NOT revertPolygon::StakeManager::getValidatorId(address)SHOULD return0if no valid id was foundownershould be immutable,signeris supposed to be the hot wallet for operations.