fix: prevent slashing DoS (OZ M-02)

Signed-off-by: Tomás Migone <[email protected]>

Author: tmigone

packages/subgraph-service/contracts/DisputeManager.sol

@@ -569,10 +569,15 @@ contract DisputeManager is
             DisputeManagerInvalidTokensSlash(_tokensSlash, maxTokensSlash)
         );
 
-        // Rewards amount can only be extracted from service provider tokens so
-        // we grab the minimum between the slash amount and indexer's tokens
-        uint256 maxRewardableTokens = Math.min(_tokensSlash, provision.tokens);
-        uint256 tokensRewards = uint256(fishermanRewardCut).mulPPM(maxRewardableTokens);
+        // Rewards calculation:
+        // - Rewards can only be extracted from service provider tokens so we grab the minimum between the slash
+        //   amount and indexer's tokens
+        // - The applied cut is the minimum between the provision's maxVerifierCut and the current fishermanRewardCut. This
+        //   protects the indexer from sudden changes to the fishermanRewardCut while ensuring the slashing does not revert due
+        //   to excessive rewards being requested.
+        uint256 maxRewardableTokens = MathUtils.min(_tokensSlash, provision.tokens);
+        uint256 effectiveCut = MathUtils.min(provision.maxVerifierCut, fishermanRewardCut);
+        uint256 tokensRewards = effectiveCut.mulPPM(maxRewardableTokens);
 
         subgraphService_.slash(_indexer, abi.encode(_tokensSlash, tokensRewards));
         return tokensRewards;

packages/subgraph-service/test/disputeManager/DisputeManager.t.sol

@@ -3,6 +3,7 @@ pragma solidity 0.8.27;
 
 import "forge-std/Test.sol";
 
+import { MathUtils } from "@graphprotocol/horizon/contracts/libraries/MathUtils.sol";
 import { PPMMath } from "@graphprotocol/horizon/contracts/libraries/PPMMath.sol";
 import { IDisputeManager } from "../../contracts/interfaces/IDisputeManager.sol";
 import { Attestation } from "../../contracts/libraries/Attestation.sol";
@@ -412,8 +413,17 @@ contract DisputeManagerTest is SubgraphServiceSharedTest {
         uint256 indexerTokensAvailable = staking.getProviderTokensAvailable(dispute.indexer, address(subgraphService));
         uint256 provisionTokens = staking.getProvision(dispute.indexer, address(subgraphService)).tokens;
         uint256 disputeDeposit = dispute.deposit;
-        uint256 fishermanRewardPercentage = disputeManager.fishermanRewardCut();
-        uint256 fishermanReward = Math.min(_tokensSlash, provisionTokens).mulPPM(fishermanRewardPercentage);
+        uint256 fishermanReward;
+        {
+            uint32 provisionMaxVerifierCut = staking
+                .getProvision(dispute.indexer, address(subgraphService))
+                .maxVerifierCut;
+            uint256 fishermanRewardPercentage = MathUtils.min(
+                disputeManager.fishermanRewardCut(),
+                provisionMaxVerifierCut
+            );
+            fishermanReward = Math.min(_tokensSlash, provisionTokens).mulPPM(fishermanRewardPercentage);
+        }
 
         vm.expectEmit(address(disputeManager));
         emit IDisputeManager.DisputeAccepted(

packages/subgraph-service/test/disputeManager/disputes/indexing/create.t.sol

@@ -42,7 +42,7 @@ contract DisputeManagerIndexingCreateDisputeTest is DisputeManagerTest {
 
             resetPrank(indexer);
             mint(indexer, tokens);
-            _createProvision(indexer, tokens, maxSlashingPercentage, disputePeriod);
+            _createProvision(indexer, tokens, fishermanRewardPercentage, disputePeriod);
             _register(indexer, abi.encode("url", "geoHash", address(0)));
             uint256 allocationIDPrivateKey = uint256(keccak256(abi.encodePacked(i)));
             bytes memory data = _createSubgraphAllocationData(

packages/subgraph-service/test/disputeManager/disputes/legacy.t.sol

@@ -29,13 +29,13 @@ contract DisputeManagerLegacyDisputeTest is DisputeManagerTest {
         vm.assume(tokensStaked >= minimumProvisionTokens);
         tokensProvisioned = bound(tokensProvisioned, minimumProvisionTokens, tokensStaked);
         tokensSlash = bound(tokensSlash, 2, tokensProvisioned);
-        tokensRewards = bound(tokensRewards, 1, tokensSlash.mulPPM(maxSlashingPercentage));
+        tokensRewards = bound(tokensRewards, 1, tokensSlash.mulPPM(fishermanRewardPercentage));
 
         // setup indexer state
         resetPrank(users.indexer);
         _stake(tokensStaked);
         _setStorage_allocation_hardcoded(users.indexer, allocationID, tokensStaked - tokensProvisioned);
-        _provision(users.indexer, tokensProvisioned, maxSlashingPercentage, disputePeriod);
+        _provision(users.indexer, tokensProvisioned, fishermanRewardPercentage, disputePeriod);
 
         resetPrank(users.arbitrator);
         _createAndAcceptLegacyDispute(allocationID, users.fisherman, tokensSlash, tokensRewards);

packages/subgraph-service/test/disputeManager/disputes/query/accept.t.sol

@@ -222,4 +222,50 @@ contract DisputeManagerQueryAcceptDisputeTest is DisputeManagerTest {
         vm.expectRevert(expectedError);
         disputeManager.acceptDispute(disputeID, tokensSlash);
     }
+
+    function test_Query_Accept_Dispute_AfterFishermanRewardCutIncreased(
+        uint256 tokens,
+        uint256 tokensSlash
+    ) public useIndexer {
+        vm.assume(tokens >= minimumProvisionTokens);
+        vm.assume(tokens < 10_000_000_000 ether);
+        tokensSlash = bound(tokensSlash, 1, uint256(maxSlashingPercentage).mulPPM(tokens));
+
+        // Set fishermanRewardCut to 25%
+        resetPrank(users.governor);
+        uint32 oldFishermanRewardCut = 250_000;
+        disputeManager.setFishermanRewardCut(oldFishermanRewardCut);
+
+        // Create provision with maxVerifierCut == fishermanRewardCut and allocate
+        resetPrank(users.indexer);
+        _createProvision(users.indexer, tokens, oldFishermanRewardCut, disputePeriod);
+        _register(users.indexer, abi.encode("url", "geoHash", address(0)));
+        bytes memory data = _createSubgraphAllocationData(
+            users.indexer,
+            subgraphDeployment,
+            allocationIDPrivateKey,
+            tokens
+        );
+        _startService(users.indexer, data);
+
+        // Create a dispute with prov.maxVerifierCut == fishermanRewardCut
+        uint256 beforeFishermanBalance = token.balanceOf(users.fisherman);
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        // Now bump the fishermanRewardCut to 50%
+        resetPrank(users.governor);
+        disputeManager.setFishermanRewardCut(500_000);
+
+        // Accept the dispute
+        resetPrank(users.arbitrator);
+        _acceptDispute(disputeID, tokensSlash);
+
+        // Check that the fisherman received the correct amount of tokens
+        // which should use the old fishermanRewardCut
+        uint256 afterFishermanBalance = token.balanceOf(users.fisherman);
+        assertEq(afterFishermanBalance, beforeFishermanBalance + tokensSlash.mulPPM(oldFishermanRewardCut));
+    }
 }

packages/subgraph-service/test/disputeManager/disputes/query/create.t.sol

@@ -78,7 +78,7 @@ contract DisputeManagerQueryCreateDisputeTest is DisputeManagerTest {
         uint256 newAllocationIDKey = uint256(keccak256(abi.encodePacked("newAllocationID")));
         mint(newIndexer, tokens);
         resetPrank(newIndexer);
-        _createProvision(newIndexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(newIndexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(newIndexer, abi.encode("url", "geoHash", 0x0));
         bytes memory data = _createSubgraphAllocationData(newIndexer, subgraphDeployment, newAllocationIDKey, tokens);
         _startService(newIndexer, data);

packages/subgraph-service/test/disputeManager/disputes/queryConflict/accept.t.sol

@@ -150,7 +150,7 @@ contract DisputeManagerQueryConflictAcceptDisputeTest is DisputeManagerTest {
         mint(differentIndexer, tokensSecondIndexer);
         uint256 differentIndexerAllocationIDPrivateKey = uint256(keccak256(abi.encodePacked(differentIndexer)));
         resetPrank(differentIndexer);
-        _createProvision(differentIndexer, tokensSecondIndexer, maxSlashingPercentage, disputePeriod);
+        _createProvision(differentIndexer, tokensSecondIndexer, fishermanRewardPercentage, disputePeriod);
         _register(differentIndexer, abi.encode("url", "geoHash", address(0)));
         bytes memory data = _createSubgraphAllocationData(
             differentIndexer,

packages/subgraph-service/test/disputeManager/disputes/queryConflict/create.t.sol

@@ -38,7 +38,7 @@ contract DisputeManagerQueryConflictCreateDisputeTest is DisputeManagerTest {
         uint256 newAllocationIDKey = uint256(keccak256(abi.encodePacked("newAllocationID")));
         mint(newIndexer, tokens);
         resetPrank(newIndexer);
-        _createProvision(newIndexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(newIndexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(newIndexer, abi.encode("url", "geoHash", 0x0));
         bytes memory data = _createSubgraphAllocationData(newIndexer, subgraphDeployment, newAllocationIDKey, tokens);
         _startService(newIndexer, data);

packages/subgraph-service/test/shared/SubgraphServiceShared.t.sol

@@ -35,7 +35,7 @@ abstract contract SubgraphServiceSharedTest is HorizonStakingSharedTest {
     modifier useAllocation(uint256 tokens) {
         vm.assume(tokens >= minimumProvisionTokens);
         vm.assume(tokens < 10_000_000_000 ether);
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
         bytes memory data = _createSubgraphAllocationData(
             users.indexer,

packages/subgraph-service/test/subgraphService/SubgraphService.t.sol

@@ -481,7 +481,7 @@ contract SubgraphServiceTest is SubgraphServiceSharedTest {
         resetPrank(_indexer);
         token.approve(address(staking), _tokens);
         staking.stakeTo(_indexer, _tokens);
-        staking.provision(_indexer, address(subgraphService), _tokens, maxSlashingPercentage, disputePeriod);
+        staking.provision(_indexer, address(subgraphService), _tokens, fishermanRewardPercentage, disputePeriod);
         _register(_indexer, abi.encode("url", "geoHash", address(0)));
 
         (address newIndexerAllocationId, uint256 newIndexerAllocationKey) = makeAddrAndKey("newIndexerAllocationId");

packages/subgraph-service/test/subgraphService/allocation/forceClose.t.sol

@@ -78,7 +78,7 @@ contract SubgraphServiceAllocationForceCloseTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_ForceClose_RevertIf_Altruistic(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = _createSubgraphAllocationData(users.indexer, subgraphDeployment, allocationIDPrivateKey, 0);

packages/subgraph-service/test/subgraphService/allocation/overDelegated.t.sol

@@ -30,7 +30,7 @@ contract SubgraphServiceAllocationOverDelegatedTest is SubgraphServiceTest {
 
         // Create provision
         token.approve(address(staking), indexerTokens);
-        _createProvision(users.indexer, indexerTokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, indexerTokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         // Delegate so that indexer is over allocated

packages/subgraph-service/test/subgraphService/allocation/start.t.sol

@@ -21,7 +21,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = _generateData(tokens);
@@ -31,7 +31,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_AllowsZeroTokens(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = _generateData(0);
@@ -41,7 +41,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_ByOperator(uint256 tokens) public useOperator {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = _generateData(tokens);
@@ -51,7 +51,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_RevertWhen_NotAuthorized(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         resetPrank(users.operator);
@@ -79,7 +79,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_RevertWhen_NotRegistered(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
 
         bytes memory data = _generateData(tokens);
         vm.expectRevert(
@@ -91,7 +91,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_RevertWhen_ZeroAllocationId(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes32 digest = subgraphService.encodeAllocationProof(users.indexer, address(0));
@@ -104,7 +104,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_RevertWhen_InvalidSignature(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         (address signer, uint256 signerPrivateKey) = makeAddrAndKey("invalidSigner");
@@ -124,7 +124,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_RevertWhen_InvalidData(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = abi.encode(subgraphDeployment, tokens, allocationID, _generateRandomHexBytes(32));
@@ -137,7 +137,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     ) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = _generateData(tokens);
@@ -150,7 +150,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_RevertWhen_AlreadyExists_Migrated(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         resetPrank(users.governor);
@@ -165,7 +165,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
     function test_SubgraphService_Allocation_Start_RevertWhen_AlreadyExists_Staking(uint256 tokens) public useIndexer {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         // create dummy allo in staking contract
@@ -183,7 +183,7 @@ contract SubgraphServiceAllocationStartTest is SubgraphServiceTest {
         tokens = bound(tokens, minimumProvisionTokens, MAX_TOKENS - 1);
         lockTokens = bound(lockTokens, tokens + 1, MAX_TOKENS);
 
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
 
         bytes memory data = _generateData(lockTokens);

packages/subgraph-service/test/subgraphService/collect/indexing/indexing.t.sol

@@ -127,7 +127,7 @@ contract SubgraphServiceCollectIndexingTest is SubgraphServiceTest {
         tokens = bound(tokens, minimumProvisionTokens * 2, 10_000_000_000 ether);
 
         // setup allocation
-        _createProvision(users.indexer, tokens, maxSlashingPercentage, disputePeriod);
+        _createProvision(users.indexer, tokens, fishermanRewardPercentage, disputePeriod);
         _register(users.indexer, abi.encode("url", "geoHash", address(0)));
         bytes memory data = _createSubgraphAllocationData(
             users.indexer,