Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Session Token>Threat Model>Function: removeBLSPublicKeyWithSignature()
GeneralOverview
Findings
High (2)
Medium (1)
Low (1)
Informational (1)
DiscussionUnused and sometimes misleading functionsGas savingsMisleading functions' nameData desynchronizationRedundant checks
Threat ModelWhat are threat models?BN256G1.solBN256G2.solPairing.solRewardRatePool.solServiceNodeContribution.solServiceNodeContributionFactory.sol
ServiceNodeRewards.solFunction: addBLSPublicKey()Function: initiateRemoveBLSPublicKey()Function: liquidateBLSPublicKeyWithSignature()Function: removeBLSPublicKeyAfterWaitTime()Function: removeBLSPublicKeyWithSignature()Function: updateRewardsBalance()
TokenConverter.solTokenVestingStaking.sol
Audit ResultsAssessment Results

Function: removeBLSPublicKeyWithSignature()

The function removes a BLS public key from the network using an aggregated BLS signature, allowing the service node to exit and release the staked amount.

The difference between this function and removeBLSPublicKeyAfterWaitTime is that it does not require setting the leaveRequestTimestamp in _serviceNodes beforehand through initiateRemoveBLSPublicKey.

Inputs

  • blsPubkey

    • Validation: The blsPubKey must be the BLS public key of a preregistered ServiceNode.

    • Impact: The BLS public key of the ServiceNode to be removed.

  • timestamp

    • Validation: The timestamp must be within the seconds specified by signatureExpiry from the current block.timestamp.

    • Impact: A parameter necessary to check the validity period of the blsSignature.

  • blsSignature

    • Validation: N/A.

    • Impact: A parameter necessary to verify the encodedMessage generated in removeBLSPublicKeyWithSignature.

  • ids

    • Validation: The length of ids must not exceed 1/3 of the total number of signers, and under no circumstances can the length of ids exceed 300, which can be adjusted by setBLSNonSignerThresholdMax.

    • Impact: The IDs of the signers to be excluded from the BLS public-key aggregation.

Branches and code coverage (including function calls)

Intended branches

Negative behavior

Function call analysis

  • BN256G2.hashToG2(BN256G2.hashToField(string(encodedMessage)))

    • External/Internal? External.

    • Argument control: Value is hashed with hashToField before passing as an argument.

    • Impact: Hash computation before BLS signature verification.

  • validateSignatureOrRevert(ids, blsSignature, Hm) -> Pairing.pairing2(BN256G1.P1(), signature, BN256G1.negate(pubkey), hashToVerify)

    • External/Internal? Internal.

    • Argument control: ids, blsSignature, and Hm.

    • Impact: Aggregates the excluded signers (ids), updates the verification key, and verifies the encodedMessage (Hm) with the blsSignature.

  • _removeBLSPublicKey(serviceNodeID, _serviceNodes[serviceNodeID].deposit) -> serviceNodeDelete(serviceNodeID)

    • External/Internal? Internal.

    • Argument control: serviceNodeID.

    • Impact: Deletes the specified data from _serviceNodes and serviceNodeIDs — also removes the specified public key from _aggregatePubKey.

  • _removeBLSPublicKey(serviceNodeID, _serviceNodes[serviceNodeID].deposit) -> updateBLSNonSignerThreshold()

    • External/Internal? Internal.

    • Argument control: serviceNodeID.

    • Impact: Updates the number of signers that can be excluded from BLS signature aggregation.

Zellic © 2025Back to top ↑