fix: prevent indexer from possibly being exessively slashed (OZ M-04)

tmigone · tmigone · commit 0a7e4168d2a6 · 2025-04-24T14:55:59.000-03:00
Signed-off-by: Tomás Migone &lt;tomas@edgeandnode.com&gt;
diff --git a/packages/subgraph-service/contracts/DisputeManager.sol b/packages/subgraph-service/contracts/DisputeManager.sol
@@ -667,15 +667,21 @@ contract DisputeManager is
      * - Thawing stake is not excluded from the snapshot.
      * - Delegators stake is capped at the delegation ratio to prevent delegators from inflating the snapshot
      *   to increase the indexer slash amount.
+     * - Delegator's stake is not considered if delegation slashing is disabled.
      * @param _indexer Indexer address
      * @param _indexerStake Indexer's stake
      * @return Total stake snapshot
      */
     function _getStakeSnapshot(address _indexer, uint256 _indexerStake) private view returns (uint256) {
         ISubgraphService subgraphService_ = _getSubgraphService();
-        uint256 delegatorsStake = _graphStaking().getDelegationPool(_indexer, address(subgraphService_)).tokens;
-        uint256 delegatorsStakeMax = _indexerStake * uint256(subgraphService_.getDelegationRatio());
-        uint256 stakeSnapshot = _indexerStake + MathUtils.min(delegatorsStake, delegatorsStakeMax);
-        return stakeSnapshot;
+        IHorizonStaking staking = _graphStaking();
+
+        if (staking.isDelegationSlashingEnabled()) {
+            uint256 delegatorsStake = staking.getDelegationPool(_indexer, address(subgraphService_)).tokens;
+            uint256 delegatorsStakeMax = _indexerStake * uint256(subgraphService_.getDelegationRatio());
+            return _indexerStake + MathUtils.min(delegatorsStake, delegatorsStakeMax);
+        } else {
+            return _indexerStake;
+        }
     }
 }
diff --git a/packages/subgraph-service/test/disputeManager/DisputeManager.t.sol b/packages/subgraph-service/test/disputeManager/DisputeManager.t.sol
@@ -8,6 +8,7 @@ import { IDisputeManager } from "../../contracts/interfaces/IDisputeManager.sol"
 import { Attestation } from "../../contracts/libraries/Attestation.sol";
 import { Allocation } from "../../contracts/libraries/Allocation.sol";
 import { IDisputeManager } from "../../contracts/interfaces/IDisputeManager.sol";
+import { Math } from "@openzeppelin/contracts/utils/math/Math.sol";
 
 import { SubgraphServiceSharedTest } from "../shared/SubgraphServiceShared.t.sol";
 
@@ -403,9 +404,10 @@ contract DisputeManagerTest is SubgraphServiceSharedTest {
         address fisherman = dispute.fisherman;
         uint256 fishermanPreviousBalance = token.balanceOf(fisherman);
         uint256 indexerTokensAvailable = staking.getProviderTokensAvailable(dispute.indexer, address(subgraphService));
+        uint256 provisionTokens = staking.getProvision(dispute.indexer, address(subgraphService)).tokens;
         uint256 disputeDeposit = dispute.deposit;
         uint256 fishermanRewardPercentage = disputeManager.fishermanRewardCut();
-        uint256 fishermanReward = _tokensSlash.mulPPM(fishermanRewardPercentage);
+        uint256 fishermanReward = Math.min(_tokensSlash, provisionTokens).mulPPM(fishermanRewardPercentage);
 
         vm.expectEmit(address(disputeManager));
         emit IDisputeManager.DisputeAccepted(
diff --git a/packages/subgraph-service/test/disputeManager/disputes/indexing/accept.t.sol b/packages/subgraph-service/test/disputeManager/disputes/indexing/accept.t.sol
@@ -88,4 +88,99 @@ contract DisputeManagerIndexingAcceptDisputeTest is DisputeManagerTest {
         vm.expectRevert(expectedError);
         disputeManager.acceptDispute(disputeID, tokensSlash);
     }
+
+    function test_Indexing_Accept_Dispute_WithDelegation(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        tokensSlash = bound(
+            tokensSlash,
+            1,
+            uint256(maxSlashingPercentage).mulPPM(_calculateStakeSnapshot(tokens, tokensDelegated))
+        );
+
+        // Initial dispute with delegation slashing disabled
+        resetPrank(users.fisherman);
+        bytes32 disputeID = _createIndexingDispute(allocationID, bytes32("POI1"));
+
+        resetPrank(users.arbitrator);
+        _acceptDispute(disputeID, tokensSlash);
+    }
+
+    function test_Indexing_Accept_RevertWhen_SlashingOverMaxSlashPercentage_WithDelegation(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        uint256 maxTokensToSlash = uint256(maxSlashingPercentage).mulPPM(
+            _calculateStakeSnapshot(tokens, tokensDelegated)
+        );
+        tokensSlash = bound(tokensSlash, maxTokensToSlash + 1, type(uint256).max);
+
+        resetPrank(users.fisherman);
+        bytes32 disputeID = _createIndexingDispute(allocationID, bytes32("POI101"));
+
+        // max slashing percentage is 50%
+        resetPrank(users.arbitrator);
+        bytes memory expectedError = abi.encodeWithSelector(
+            IDisputeManager.DisputeManagerInvalidTokensSlash.selector,
+            tokensSlash,
+            maxTokensToSlash
+        );
+        vm.expectRevert(expectedError);
+        disputeManager.acceptDispute(disputeID, tokensSlash);
+    }
+
+    function test_Indexing_Accept_Dispute_WithDelegation_DelegationSlashing(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        // enable delegation slashing
+        resetPrank(users.governor);
+        staking.setDelegationSlashingEnabled();
+
+        tokensSlash = bound(
+            tokensSlash,
+            1,
+            uint256(maxSlashingPercentage).mulPPM(_calculateStakeSnapshot(tokens, tokensDelegated))
+        );
+
+        // Create a new dispute with delegation slashing enabled
+        resetPrank(users.fisherman);
+        bytes32 disputeID = _createIndexingDispute(allocationID, bytes32("POI2"));
+
+        resetPrank(users.arbitrator);
+        _acceptDispute(disputeID, tokensSlash);
+    }
+
+    function test_Indexing_Accept_RevertWhen_SlashingOverMaxSlashPercentage_WithDelegation_DelegationSlashing(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        // enable delegation slashing
+        resetPrank(users.governor);
+        staking.setDelegationSlashingEnabled();
+
+        uint256 maxTokensToSlash = uint256(maxSlashingPercentage).mulPPM(
+            _calculateStakeSnapshot(tokens, tokensDelegated)
+        );
+        tokensSlash = bound(tokensSlash, maxTokensToSlash + 1, type(uint256).max);
+
+        // Create a new dispute with delegation slashing enabled
+        resetPrank(users.fisherman);
+        bytes32 disputeID = _createIndexingDispute(allocationID, bytes32("POI101"));
+
+        // max slashing percentage is 50%
+        resetPrank(users.arbitrator);
+        bytes memory expectedError = abi.encodeWithSelector(
+            IDisputeManager.DisputeManagerInvalidTokensSlash.selector,
+            tokensSlash,
+            maxTokensToSlash
+        );
+        vm.expectRevert(expectedError);
+        disputeManager.acceptDispute(disputeID, tokensSlash);
+    }
 }
diff --git a/packages/subgraph-service/test/disputeManager/disputes/query/accept.t.sol b/packages/subgraph-service/test/disputeManager/disputes/query/accept.t.sol
@@ -118,4 +118,108 @@ contract DisputeManagerQueryAcceptDisputeTest is DisputeManagerTest {
         vm.expectRevert(abi.encodeWithSelector(IDisputeManager.DisputeManagerDisputeNotInConflict.selector, disputeID));
         disputeManager.acceptDisputeConflict(disputeID, tokensSlash, true, 0);
     }
+
+    function test_Query_Accept_Dispute_WithDelegation(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        tokensSlash = bound(
+            tokensSlash,
+            1,
+            uint256(maxSlashingPercentage).mulPPM(_calculateStakeSnapshot(tokens, tokensDelegated))
+        );
+
+        // Initial dispute with delegation slashing disabled
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        resetPrank(users.arbitrator);
+        _acceptDispute(disputeID, tokensSlash);
+    }
+
+    function test_Query_Accept_RevertWhen_SlashingOverMaxSlashPercentage_WithDelegation(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        uint256 maxTokensToSlash = uint256(maxSlashingPercentage).mulPPM(
+            _calculateStakeSnapshot(tokens, tokensDelegated)
+        );
+        tokensSlash = bound(tokensSlash, maxTokensToSlash + 1, type(uint256).max);
+
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        // max slashing percentage is 50%
+        resetPrank(users.arbitrator);
+        bytes memory expectedError = abi.encodeWithSelector(
+            IDisputeManager.DisputeManagerInvalidTokensSlash.selector,
+            tokensSlash,
+            maxTokensToSlash
+        );
+        vm.expectRevert(expectedError);
+        disputeManager.acceptDispute(disputeID, tokensSlash);
+    }
+
+    function test_Query_Accept_Dispute_WithDelegation_DelegationSlashing(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        // enable delegation slashing
+        resetPrank(users.governor);
+        staking.setDelegationSlashingEnabled();
+
+        tokensSlash = bound(
+            tokensSlash,
+            1,
+            uint256(maxSlashingPercentage).mulPPM(_calculateStakeSnapshot(tokens, tokensDelegated))
+        );
+
+        // Create a new dispute with delegation slashing enabled
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        resetPrank(users.arbitrator);
+        _acceptDispute(disputeID, tokensSlash);
+    }
+
+    function test_Query_Accept_RevertWhen_SlashingOverMaxSlashPercentage_WithDelegation_DelegationSlashing(
+        uint256 tokens,
+        uint256 tokensDelegated,
+        uint256 tokensSlash
+    ) public useIndexer useAllocation(tokens) useDelegation(tokensDelegated) {
+        // enable delegation slashing
+        resetPrank(users.governor);
+        staking.setDelegationSlashingEnabled();
+
+        resetPrank(users.fisherman);
+        uint256 maxTokensToSlash = uint256(maxSlashingPercentage).mulPPM(
+            _calculateStakeSnapshot(tokens, tokensDelegated)
+        );
+        tokensSlash = bound(tokensSlash, maxTokensToSlash + 1, type(uint256).max);
+
+        // Create a new dispute with delegation slashing enabled
+        resetPrank(users.fisherman);
+        Attestation.Receipt memory receipt = _createAttestationReceipt(requestCID, responseCID, subgraphDeploymentId);
+        bytes memory attestationData = _createAtestationData(receipt, allocationIDPrivateKey);
+        bytes32 disputeID = _createQueryDispute(attestationData);
+
+        // max slashing percentage is 50%
+        resetPrank(users.arbitrator);
+        bytes memory expectedError = abi.encodeWithSelector(
+            IDisputeManager.DisputeManagerInvalidTokensSlash.selector,
+            tokensSlash,
+            maxTokensToSlash
+        );
+        vm.expectRevert(expectedError);
+        disputeManager.acceptDispute(disputeID, tokensSlash);
+    }
 }
diff --git a/packages/subgraph-service/test/shared/SubgraphServiceShared.t.sol b/packages/subgraph-service/test/shared/SubgraphServiceShared.t.sol
@@ -7,6 +7,7 @@ import { Allocation } from "../../contracts/libraries/Allocation.sol";
 import { AllocationManager } from "../../contracts/utilities/AllocationManager.sol";
 import { IDataService } from "@graphprotocol/horizon/contracts/data-service/interfaces/IDataService.sol";
 import { ISubgraphService } from "../../contracts/interfaces/ISubgraphService.sol";
+import { MathUtils } from "@graphprotocol/horizon/contracts/libraries/MathUtils.sol";
 
 import { HorizonStakingSharedTest } from "./HorizonStakingShared.t.sol";
 
@@ -186,6 +187,15 @@ abstract contract SubgraphServiceSharedTest is HorizonStakingSharedTest {
         staking.delegate(users.indexer, address(subgraphService), tokens, 0);
     }
 
+    function _calculateStakeSnapshot(uint256 _tokens, uint256 _tokensDelegated) internal view returns (uint256) {
+        bool delegationSlashingEnabled = staking.isDelegationSlashingEnabled();
+        if (delegationSlashingEnabled) {
+            return _tokens + MathUtils.min(_tokensDelegated, _tokens * subgraphService.getDelegationRatio());
+        } else {
+            return _tokens;
+        }
+    }
+
     /*
      * PRIVATE FUNCTIONS
      */
