Skip to content

fix: Winning ticket dust griefing#657

Open
SidestreamCrunchyCarrot wants to merge 12 commits into
livepeer:deltafrom
sidestream-tech:delta
Open

fix: Winning ticket dust griefing#657
SidestreamCrunchyCarrot wants to merge 12 commits into
livepeer:deltafrom
sidestream-tech:delta

Conversation

@SidestreamCrunchyCarrot

Copy link
Copy Markdown
Collaborator

Note: this PR was already approved by 2 Livepeer Security Committee members inside a private security advisory.

What does this pull request do? Explain your changes. (required)

This PR fixes a vulnerability where an attacker could frontrun a transcoder's redeemWinningTicket() call by depositing a dust amount (1 wei) into the sender's account via fundDepositAndReserveFor(). Because redeemWinningTicket() paid out whatever funds were available and then permanently marked the ticket as used, the transcoder would receive 1 wei instead of the full face value. The same partial-payout and ticket-burn outcome could also occur naturally when multiple tickets from the same sender were redeemed in sequence, and the combined deposit and reserve were insufficient to cover all of them.

The fix enforces an all-or-nothing redemption: redeemWinningTicket() now requires that sender.deposit + remainingReserve >= ticket.faceValue before marking the ticket as used. If the sender is underfunded, the call reverts, leaving the ticket redeemable once the sender tops up.

Specific updates (required)

  • contracts/pm/mixins/MixinTicketBrokerCore.sol: Replaced the sender.deposit > 0 || remainingReserve > 0 guard in redeemWinningTicket() with a stricter check requiring deposit + reserve >= faceValue.

How did you test each of these updates (required)

  • Added src/test/TicketBrokerDustDepositGriefingPoC.sol to prove both attack scenarios exist: the griefing attack (testDustDepositGriefing) and the race condition (testRaceConditionPartialPayout), described in the analysis report.
  • Added src/test/TicketBrokerDustDepositGriefingFix.sol to prove the fix closes both scenarios while the normal flow continues to work.
  • Updated three existing unit tests in test/unit/TicketBroker.js where the previous partial-payment behavior was under test. The amounts were adjusted to be fully funded, so the test semantics are preserved
  • Added two new unit tests: reverts if faceValue exceeds deposit and reserve combined, and succeeds when faceValue equals deposit and reserve combined.

Does this pull request close any open issues?

Yes, it closes https://github.com/sidestream-tech/livepeer-protocol/security/advisories/GHSA-cfpp-6gv2-r325

Checklist:

  • README and other documentation updated
    ℹ️ No relevant section in the README, but the NatSpec on redeemWinningTicket() was updated directly in the contract
  • All tests using yarn test pass

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00000%. Comparing base (3337250) to head (a8d5df4).

Additional details and impacted files

Impacted file tree graph

@@               Coverage Diff               @@
##                delta         #657   +/-   ##
===============================================
  Coverage   100.00000%   100.00000%           
===============================================
  Files              29           29           
  Lines            1338         1338           
  Branches          225          225           
===============================================
  Hits             1338         1338           
Files with missing lines Coverage Δ
contracts/pm/mixins/MixinTicketBrokerCore.sol 100.00000% <100.00000%> (ø)

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3337250...a8d5df4. Read the comment docs.

Files with missing lines Coverage Δ
contracts/pm/mixins/MixinTicketBrokerCore.sol 100.00000% <100.00000%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants