Description

When a user redeems their PTs or YTs from a solo validator bond, they have the option to redeem directly as SOL or as stake.

If redeeming directly as SOL, they swap their tokens for SOL from the global counter party. If the global counter party has no funds, a user can permissionlessly redeem the global counter party's PTs/YTs to refill its funds to be later withdrawn.

However, the fee admin has unrestricted access to the counter_party_withdraw_sol instruction, which allows them to withdraw any amount of SOL from the global counter party's account.

This is normally fine, as user funds are backed by the solo validator bond itself, not the global counter party. However, an empty global counter party prevents users from redeeming their tokens as SOL.

This is an issue as the alternative is redeeming as stake, but this is only possible if a user has more than 1 SOL to redeem.

Impact

A fee admin could withdraw all the funds from the global counter party, preventing users from redeeming their solo validator bond tokens as SOL.

If those users have less than 1 SOL to redeem, their funds are stuck and they cannot withdraw.

Recommendations

Add a new redemption method for users with less than 1 SOL in a solo validator bond that does not rely on the global counter party.

Remediation

Pye in the Sky Labs Ltd. assumes fee_admin is operationally secure and acting in good faith and has opted not to make changes.