fix: prevent slashing DoS (OZ M-02)

Signed-off-by: Tomás Migone <[email protected]>

Author: tmigone

packages/subgraph-service/contracts/DisputeManager.sol

@@ -569,10 +569,15 @@ contract DisputeManager is
             DisputeManagerInvalidTokensSlash(_tokensSlash, maxTokensSlash)
         );
 
-        // Rewards amount can only be extracted from service provider tokens so
-        // we grab the minimum between the slash amount and indexer's tokens
-        uint256 maxRewardableTokens = Math.min(_tokensSlash, provision.tokens);
-        uint256 tokensRewards = uint256(fishermanRewardCut).mulPPM(maxRewardableTokens);
+        // Rewards calculation:
+        // - Rewards can only be extracted from service provider tokens so we grab the minimum between the slash
+        //   amount and indexer's tokens
+        // - The applied cut is the minimum between the provision's maxVerifierCut and the current fishermanRewardCut. This
+        //   protects the indexer from sudden changes to the fishermanRewardCut while ensuring the slashing does not revert due
+        //   to excessive rewards being requested.
+        uint256 maxRewardableTokens = MathUtils.min(_tokensSlash, provision.tokens);
+        uint256 effectiveCut = MathUtils.min(provision.maxVerifierCut, fishermanRewardCut);
+        uint256 tokensRewards = effectiveCut.mulPPM(maxRewardableTokens);
 
         subgraphService_.slash(_indexer, abi.encode(_tokensSlash, tokensRewards));
         return tokensRewards;

packages/subgraph-service/test/disputeManager/DisputeManager.t.sol

@@ -3,6 +3,7 @@ pragma solidity 0.8.27;
 
 import "forge-std/Test.sol";
 
+import { MathUtils } from "@graphprotocol/horizon/contracts/libraries/MathUtils.sol";
 import { PPMMath } from "@graphprotocol/horizon/contracts/libraries/PPMMath.sol";
 import { IDisputeManager } from "../../contracts/interfaces/IDisputeManager.sol";
 import { Attestation } from "../../contracts/libraries/Attestation.sol";
@@ -410,8 +411,17 @@ contract DisputeManagerTest is SubgraphServiceSharedTest {
         uint256 fishermanPreviousBalance = token.balanceOf(fisherman);
         uint256 indexerTokensAvailable = staking.getProviderTokensAvailable(dispute.indexer, address(subgraphService));
         uint256 disputeDeposit = dispute.deposit;
-        uint256 fishermanRewardPercentage = disputeManager.fishermanRewardCut();
-        uint256 fishermanReward = _tokensSlash.mulPPM(fishermanRewardPercentage);
+        uint256 fishermanReward;
+        {
+            uint32 provisionMaxVerifierCut = staking
+                .getProvision(dispute.indexer, address(subgraphService))
+                .maxVerifierCut;
+            uint256 fishermanRewardPercentage = MathUtils.min(
+                disputeManager.fishermanRewardCut(),
+                provisionMaxVerifierCut
+            );
+            fishermanReward = _tokensSlash.mulPPM(fishermanRewardPercentage);
+        }
 
         vm.expectEmit(address(disputeManager));
         emit IDisputeManager.DisputeAccepted(

packages/subgraph-service/test/disputeManager/disputes/indexing/create.t.sol

@@ -42,7 +42,7 @@ contract DisputeManagerIndexingCreateDisputeTest is DisputeManagerTest {
 
             resetPrank(indexer);
             mint(indexer, tokens);
-            _createProvision(indexer, tokens, maxSlashingPercentage, disputePeriod);
+            _createProvision(indexer, tokens, fishermanRewardPercentage, disputePeriod);
             _register(indexer, abi.encode("url", "geoHash", address(0)));
             uint256 allocationIDPrivateKey = uint256(keccak256(abi.encodePacked(i)));
             bytes memory data = _createSubgraphAllocationData(

packages/subgraph-service/test/disputeManager/disputes/legacy.t.sol

@@ -29,13 +29,13 @@ contract DisputeManagerLegacyDisputeTest is DisputeManagerTest {
         vm.assume(tokensStaked >= minimumProvisionTokens);
         tokensProvisioned = bound(tokensProvisioned, minimumProvisionTokens, tokensStaked);
         tokensSlash = bound(tokensSlash, 2, tokensProvisioned);
-        tokensRewards = bound(tokensRewards, 1, tokensSlash.mulPPM(maxSlashingPercentage));
+        tokensRewards = bound(tokensRewards, 1, tokensSlash.mulPPM(fishermanRewardPercentage));
 
         // setup indexer state
         resetPrank(users.indexer);
         _stake(tokensStaked);
         _setStorage_allocation_hardcoded(users.indexer, allocationID, tokensStaked - tokensProvisioned);
-        _provision(users.indexer, tokensProvisioned, maxSlashingPercentage, disputePeriod);
+        _provision(users.indexer, tokensProvisioned, fishermanRewardPercentage, disputePeriod);
 
         resetPrank(users.arbitrator);
         _createAndAcceptLegacyDispute(allocationID, users.fisherman, tokensSlash, tokensRewards);

packages/subgraph-service/test/disputeManager/disputes/query/accept.t.sol

@@ -118,4 +118,109 @@ contract DisputeManagerQueryAcceptDisputeTest is DisputeManagerTest {
         vm.expectRevert(abi.encodeWithSelector(IDisputeManager.DisputeManagerDisputeNotInConflict.selector, disputeID));
         disputeManager.acceptDisputeConflict(disputeID, tokensSlash, true, 0);
     }
+
+    function test_Query_Accept_RevertWhen_SlashingOverMaxSlashPercentage_WithDelegation(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        uint256 maxTokensToSlash = uint256(maxSlashingPercentage).mulPPM(
+            _calculateStakeSnapshot(tokens, tokensDelegated)
+        );
+        tokensSlash = bound(tokensSlash, maxTokensToSlash + 1, type(uint256).max);
+
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        // max slashing percentage is 50%
+        resetPrank(users.arbitrator);
+        bytes memory expectedError = abi.encodeWithSelector(
+            IDisputeManager.DisputeManagerInvalidTokensSlash.selector,
+            tokensSlash,
+            maxTokensToSlash
+        );
+        vm.expectRevert(expectedError);
+        disputeManager.acceptDispute(disputeID, tokensSlash);
+    }
+
+
+    function test_Query_Accept_RevertWhen_SlashingOverMaxSlashPercentage_WithDelegation_DelegationSlashing(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        // enable delegation slashing
+        resetPrank(users.governor);
+        staking.setDelegationSlashingEnabled();
+
+        resetPrank(users.fisherman);
+        uint256 maxTokensToSlash = uint256(maxSlashingPercentage).mulPPM(
+            _calculateStakeSnapshot(tokens, tokensDelegated)
+        );
+        tokensSlash = bound(tokensSlash, maxTokensToSlash + 1, type(uint256).max);
+
+        // Create a new dispute with delegation slashing enabled
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        // max slashing percentage is 50%
+        resetPrank(users.arbitrator);
+        bytes memory expectedError = abi.encodeWithSelector(
+            IDisputeManager.DisputeManagerInvalidTokensSlash.selector,
+            tokensSlash,
+            maxTokensToSlash
+        );
+        vm.expectRevert(expectedError);
+        disputeManager.acceptDispute(disputeID, tokensSlash);
+    }
+
+    function test_Query_Accept_Dispute_AfterFishermanRewardCutIncreased(
+        uint256 tokens,
+        uint256 tokensSlash
+    ) public useIndexer {
+        vm.assume(tokens >= minimumProvisionTokens);
+        vm.assume(tokens < 10_000_000_000 ether);
+        tokensSlash = bound(tokensSlash, 1, uint256(maxSlashingPercentage).mulPPM(tokens));
+
+        // Set fishermanRewardCut to 25%
+        resetPrank(users.governor);
+        uint32 oldFishermanRewardCut = 250_000;
+        disputeManager.setFishermanRewardCut(oldFishermanRewardCut);
+
+        // Create provision with maxVerifierCut == fishermanRewardCut and allocate
+        resetPrank(users.indexer);
+        _createProvision(users.indexer, tokens, oldFishermanRewardCut, disputePeriod);
+        _register(users.indexer, abi.encode("url", "geoHash", address(0)));
+        bytes memory data = _createSubgraphAllocationData(
+            users.indexer,
+            subgraphDeployment,
+            allocationIDPrivateKey,
+            tokens
+        );
+        _startService(users.indexer, data);
+
+        // Create a dispute with prov.maxVerifierCut == fishermanRewardCut
+        uint256 beforeFishermanBalance = token.balanceOf(users.fisherman);
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        // Now bump the fishermanRewardCut to 50%
+        resetPrank(users.governor);
+        disputeManager.setFishermanRewardCut(500_000);
+
+        // Accept the dispute
+        resetPrank(users.arbitrator);
+        _acceptDispute(disputeID, tokensSlash);
+
+        // Check that the fisherman received the correct amount of tokens
+        // which should use the old fishermanRewardCut
+        uint256 afterFishermanBalance = token.balanceOf(users.fisherman);
+        assertEq(afterFishermanBalance, beforeFishermanBalance + tokensSlash.mulPPM(oldFishermanRewardCut));
+    }
 }

packages/subgraph-service/test/disputeManager/disputes/query/create.t.sol

@@ -78,7 +78,7 @@ contract DisputeManagerQueryCreateDisputeTest is DisputeManagerTest {
         uint256 newAllocationIDKey = uint256(keccak256(abi.encodePacked("newAllocationID")));
         mint(newIndexer, tokens);
         resetPrank(newIndexer);
-        _createProvision(newIndexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(newIndexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(newIndexer, abi.encode("url", "geoHash", 0x0));
         bytes memory data = _createSubgraphAllocationData(newIndexer, subgraphDeployment, newAllocationIDKey, tokens);
         _startService(newIndexer, data);

packages/subgraph-service/test/disputeManager/disputes/queryConflict/accept.t.sol

@@ -150,7 +150,7 @@ contract DisputeManagerQueryConflictAcceptDisputeTest is DisputeManagerTest {
         mint(differentIndexer, tokensSecondIndexer);
         uint256 differentIndexerAllocationIDPrivateKey = uint256(keccak256(abi.encodePacked(differentIndexer)));
         resetPrank(differentIndexer);
-        _createProvision(differentIndexer, tokensSecondIndexer, maxSlashingPercentage, disputePeriod);
+        _createProvision(differentIndexer, tokensSecondIndexer, fishermanRewardPercentage, disputePeriod);
         _register(differentIndexer, abi.encode("url", "geoHash", address(0)));
         bytes memory data = _createSubgraphAllocationData(
             differentIndexer,

packages/subgraph-service/test/disputeManager/disputes/queryConflict/create.t.sol

@@ -38,7 +38,7 @@ contract DisputeManagerQueryConflictCreateDisputeTest is DisputeManagerTest {
         uint256 newAllocationIDKey = uint256(keccak256(abi.encodePacked("newAllocationID")));
         mint(newIndexer, tokens);
         resetPrank(newIndexer);
-        _createProvision(newIndexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(newIndexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(newIndexer, abi.encode("url", "geoHash", 0x0));
         bytes memory data = _createSubgraphAllocationData(newIndexer, subgraphDeployment, newAllocationIDKey, tokens);
         _startService(newIndexer, data);

packages/subgraph-service/test/shared/SubgraphServiceShared.t.sol

@@ -3,6 +3,7 @@ pragma solidity 0.8.27;
 
 import "forge-std/Test.sol";
 
+import { MathUtils } from "@graphprotocol/horizon/contracts/libraries/MathUtils.sol";
 import { Allocation } from "../../contracts/libraries/Allocation.sol";
 import { AllocationManager } from "../../contracts/utilities/AllocationManager.sol";
 import { IDataService } from "@graphprotocol/horizon/contracts/data-service/interfaces/IDataService.sol";
@@ -34,7 +35,7 @@ abstract contract SubgraphServiceSharedTest is HorizonStakingSharedTest {
     modifier useAllocation(uint256 tokens) {
         vm.assume(tokens >= minimumProvisionTokens);
         vm.assume(tokens < 10_000_000_000 ether);
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
         bytes memory data = _createSubgraphAllocationData(
             users.indexer,
@@ -194,4 +195,8 @@ abstract contract SubgraphServiceSharedTest is HorizonStakingSharedTest {
         (uint256 registeredAt, string memory url, string memory geoHash) = subgraphService.indexers(_indexer);
         return ISubgraphService.Indexer({ registeredAt: registeredAt, url: url, geoHash: geoHash });
     }
+
+    function _calculateStakeSnapshot(uint256 _tokens, uint256 _tokensDelegated) internal view returns (uint256) {
+        return _tokens + MathUtils.min(_tokensDelegated, _tokens * subgraphService.getDelegationRatio());
+    }
 }

packages/subgraph-service/test/subgraphService/SubgraphService.t.sol

@@ -481,7 +481,7 @@ contract SubgraphServiceTest is SubgraphServiceSharedTest {
         resetPrank(_indexer);
         token.approve(address(staking), _tokens);
         staking.stakeTo(_indexer, _tokens);
-        staking.provision(_indexer, address(subgraphService), _tokens, maxSlashingPercentage, disputePeriod);
+        staking.provision(_indexer, address(subgraphService), _tokens, fishermanRewardPercentage, disputePeriod);
         _register(_indexer, abi.encode("url", "geoHash", address(0)));
 
         (address newIndexerAllocationId, uint256 newIndexerAllocationKey) = makeAddrAndKey("newIndexerAllocationId");

packages/subgraph-service/test/subgraphService/allocation/forceClose.t.sol

@@ -78,7 +78,7 @@ contract SubgraphServiceAllocationForceCloseTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_ForceClose_RevertIf_Altruistic(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = _createSubgraphAllocationData(users.indexer, subgraphDeployment, allocationIDPrivateKey, 0);

packages/subgraph-service/test/subgraphService/allocation/overDelegated.t.sol

@@ -30,7 +30,7 @@ contract SubgraphServiceAllocationOverDelegatedTest is SubgraphServiceTest {
 
         // Create provision
         token.approve(address(staking), indexerTokens);
-        _createProvision(users.indexer, indexerTokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, indexerTokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         // Delegate so that indexer is over allocated