Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Session Token>Threat Model>Function: liquidateBLSPublicKeyWithSignature()
GeneralOverview
Findings
High (2)
Medium (1)
Low (1)
Informational (1)
DiscussionUnused and sometimes misleading functionsGas savingsMisleading functions' nameData desynchronizationRedundant checks
Threat ModelWhat are threat models?BN256G1.solBN256G2.solPairing.solRewardRatePool.solServiceNodeContribution.solServiceNodeContributionFactory.sol
ServiceNodeRewards.solFunction: addBLSPublicKey()Function: initiateRemoveBLSPublicKey()Function: liquidateBLSPublicKeyWithSignature()Function: removeBLSPublicKeyAfterWaitTime()Function: removeBLSPublicKeyWithSignature()Function: updateRewardsBalance()
TokenConverter.solTokenVestingStaking.sol
Audit ResultsAssessment Results

Function: liquidateBLSPublicKeyWithSignature()

The function removes a service node by liquidating its node from the network, rewarding the caller and transferring the remaining funds according to predefined ratios, after validating the provided BLS signature and ensuring the network's approval for the liquidation.

Inputs

  • blsPubkey

    • Validation: The blsPubKey must be the BLS public key of a preregistered ServiceNode.

    • Impact: The BLS public key of the ServiceNode to be removed.

  • timestamp

    • Validation: The timestamp must be within the seconds specified by signatureExpiry from the current block.timestamp.

    • Impact: A parameter necessary to check the validity period of the blsSignature.

  • blsSignature

    • Validation: N/A.

    • Impact: A parameter necessary to verify the encodedMessage generated in liquidateBLSPublicKeyWithSignature.

  • ids

    • Validation: The length of ids must not exceed 1/3 of the total number of signers, and under no circumstances can the length of ids exceed 300, which can be adjusted by setBLSNonSignerThresholdMax.

    • Impact: The IDs of the signers to be excluded from the BLS public-key aggregation.

Branches and code coverage (including function calls)

Intended branches

Negative behavior

Function call analysis

  • BN256G2.hashToG2(BN256G2.hashToField(string(encodedMessage)))

    • External/Internal? External.

    • Argument control: Value is hashed with hashToField before passing as an argument.

    • Impact: Hash computation before BLS signature verification.

  • validateSignatureOrRevert(ids, blsSignature, Hm) -> Pairing.pairing2(BN256G1.P1(), signature, BN256G1.negate(pubkey), hashToVerify)

    • External/Internal? Internal.

    • Argument control: ids, blsSignature, and Hm.

    • Impact: Aggregates the excluded signers (ids) and verifies the encodedMessage (Hm) with the blsSignature.

  • _removeBLSPublicKey(serviceNodeID, deposit - liquidatorAmount - poolAmount) -> serviceNodeDelete(serviceNodeID)

    • External/Internal? Internal.

    • Argument control: serviceNodeID.

    • Impact: Deletes the specified data from _serviceNodes and serviceNodeIDs — also removes the specified public key from _aggregatePubKey.

  • _removeBLSPublicKey(serviceNodeID, deposit - liquidatorAmount - poolAmount) -> updateBLSNonSignerThreshold()

    • External/Internal? Internal.

    • Argument control: serviceNodeID.

    • Impact: Updates the number of signers that can be excluded from BLS signature aggregation.

  • SafeERC20.safeTransfer(designatedToken, msg.sender, liquidatorAmount)

    • External/Internal? External.

    • Argument control: N/A.

    • Impact: Transfers the liquidatorAmount of designatedToken to the address that executed the liquidateBLSPublicKeyWithSignature function.

  • SafeERC20.safeTransfer(designatedToken, address(foundationPool), poolAmount)

    • External/Internal? External.

    • Argument control: N/A.

    • Impact: Transfers the poolAmount of designatedToken to the foundationPool.

Zellic © 2025Back to top ↑