PoL Threat Modeling

Berachain PoL Threat Model Docs

On this page, you can find the following:

• DFD (Data Flow Diagram)

  • You can visually review the overall data flow and architecture of the PoL system. This allows for an intuitive understanding of how key entities, such as users and validators, interact with the system.

• Threat Modeling

  • Entity: Defines all entities involved in the system (e.g., Governance, Validators, Users) and describes their respective roles.

  • Asset: Lists the core assets within the system that must be protected, such as BGT and LP tokens.

  • Entry Point: Identifies all paths and interfaces through which external threats can access the system.

  • Scenarios: Describes possible attack scenarios and potential threats in detail to help preemptively identify the system's security vulnerabilities.

DFD

Excalidraw — Collaborative whiteboarding made easyExcalidraw

DFD Link

Entity

ID	Name	Description
ET - 1	Governance	Governance administrator Performs major PoL settings and permission management.
ET - 2	Validator	Entity that performs block creation and verification. Distributes BGT to the reward vault and is the target for user Boosting.
ET - 3	User	General user of Berachain.
ET - 4	Vault owner	Reward vault owner and managing entity.
ET - 5	Distributor	Manages the distribution logic for BGT and incentive tokens.
ET - 6	RewardVault	Receives LP token deposits and distributes BGT.
ET - 7	BlockReward Controller	Responsible for BGT issuance.
ET - 8	BGTIncentive Distributor	Distributes incentive tokens based on the amount of BGT issued.
ET - 9	BeraChef	Responsible for BGT allocation and validator fee settings.
ET - 10	BGTStaker	Manages BGT Boost and provides HONEY as a Boost reward.
ET - 11	FeeCollector	Manages dApp fees.
ET - 12	HoneyFactory	Issues HONEY with stablecoins as collateral.
ET - 13	CollateralVault	Stores collateral for HONEY issuance.
ET - 14	CometBFT	Berachain's BFT consensus module.
ET - 15	BeaconDeposit	Processes BERA deposits for becoming a validator.
ET - 16	Operator	Entity to which validators delegate reward allocation and commission settings.
ET - 17	dApp owner	Entity that sends dApp fees to the FeeCollector.
ET - 18	Oracle	Entity that fetches the price of HONEY collateral.
ET - 19	Guardians	Entity that makes final decisions in governance.

---

Asset

ID	Name	Description
AT - 1	BGT	A token that functions as governance and an economic incentive.
AT - 2	BERA	Native coin used for gas and deposits.
AT - 3	Fee Token	Token collected as fees from various dApps.
AT - 4	LP Token (Receipt Token)	Token that certifies liquidity provision to protocols like Bex.
AT - 5	Incentive Token	Token provided as a reward to BGT boosters.
AT - 6	HONEY	Berachain's native stablecoin.
AT - 7	BYUSD / USDC	Stablecoin used as collateral for HONEY.

---

Entry Point

ID	Name	Description
EP - 1	deposit	Deposits BERA to become a validator.
EP - 2	operatorChange	Sets the validator's operator.
EP - 3	processWithdrawals	Withdraws deposited BERA.
EP - 4	queueNewReward Allocation	Sets the validator's BGT distribution vault.
EP - 5	queueVal Commission	Sets the fees received by the validator.
EP - 6	addIncentive	Increases the incentive token in the vault.
EP - 7	setDistributor	Changes the vault's distributor.
EP - 8	recoverERC20 (RewardVault)	Transfers tokens other than the stake token and incentive token to the vault owner.
EP - 9	recoverERC20 (BGTStaker)	Transfers tokens other than HONEY to governance.
EP - 10	setRewards Duration	Sets the reward distribution period.
EP - 11	removeIncentive Token	Removes the incentive token.
EP - 12	claimFees	Pays the payoutAmount and takes the fee.
EP - 13	mint	Exchanges collateral (BYUSD, USDC) for HONEY.
EP - 14	redeem	Exchanges HONEY for collateral.
EP - 15	getprice	Queries the oracle's price.
EP - 16	propose	Submits a proposal to governance.
EP - 17	vote	Votes on a proposal submitted to governance.
EP - 18	activateQueuedValCommission	Activates the commission that has been queued.
EP - 19	withdraw	Withdraws staked LP tokens from the vault.
EP - 20	stake	Stakes LP tokens in the vault.
EP - 21	notifyRewardAmount	Adds to the vault's BGT Reward payment amount.
EP - 22	computeReward	Calculates the BGT distribution amount proportional to the boost.
EP - 23	distributeFor	Distributes BGT rewards for the block validator.
EP - 24	getReward	Receives BGT rewards for staked LP tokens.
EP - 25	initialize	Initializes the contract.

---

Scenarios

Click the ID to check the security guidelines for that scenario.

ID	Entry Point	Asset	Description
S - 1	EP - 23	AT - 1	If a validator receives block creation rewards on the execution layer while the consensus layer performs inaccurate information verification, a block reward delivery error occurs.
S - 2	EP - 2 EP - 4	AT - 1	Negligent reward allocation settings by the operator set by the validator can reduce the validator boost, potentially collapsing the flywheel structure.
S - 3	EP - 1 EP - 3	AT - 2	There is no logic for a validator to withdraw as much deposited BERA as they want, making it impossible to withdraw accidentally deposited BERA or the required amount of BERA, tying up funds on the chain until it goes beyond the validator cap.
S - 4	EP - 23	AT - 4	Allowing re-entrancy into functions that control token flow within a contract can lead to unauthorized token withdrawal issues.
S - 5	EP - 8	AT - 5	If an unauthorized user arbitrarily manipulates incentive token settings, it can lead to excessive rewards from the system, disrupting the incentive structure.
S - 6	EP - 6	AT - 5	Omission of verification procedures for incentive tokens can lead to asset loss due to approval amount mismatches or transmission failures during the network reward processing.
S - 7	EP - 25	AT - 5	System errors can occur due to the omission of essential verification procedures and filtering functions during the initial contract deployment process.
S - 8	EP - 5 EP - 18	AT - 5	There is a possibility of reward withdrawal or manipulation due to contract access control setting errors.
S - 9	EP - 21 EP - 22	AT - 1 AT - 5	If precision loss occurs during the division operation when calculating the reward rate, the phenomenon of user rewards being slightly reduced can accumulate repeatedly.
S - 10	EP - 21	AT - 4	After calling the notifyRewardAmount function, withdrawing all LP tokens to make the balance zero can cause problems due to duplicate accumulation of the reward balance.
S - 11	EP - 11	AT - 5	Removing a normally functioning incentive token poses a risk of sudden user reward suspension, leading to changes in the reward structure and potential issues.
S - 12	EP - 14	AT - 1	When redeeming BGT, if the target contract has an insufficient amount of native tokens, it can lead to a chain liquidity crisis due to the inability to receive rewards.
S - 13	EP - 4	AT - 1 AT - 4 AT - 5	Collusion among operators to concentrate BGT in a specific reward vault can lead to liquidity depletion and concentration in other protocols.
S - 14	EP - 16 EP - 20	AT - 1	If a few top LSDs and validators collude to monopolize BGT boosting, BGT inflation could rapidly increase, and a structure where BGT ownership and rewards are concentrated among a very small group could become a reality.
S - 15	EP - 6	AT - 1 AT - 5	If the incentive token is depleted and there is no additional supply, the validator boost reward will decrease sharply.
S - 16	EP - 6	AT - 5	After the incentive token is depleted, the reward ratio decreases, and the boost APR of the validator who chose that reward vault also decreases.
S - 17	EP - 12	AT - 3 AT - 6	Front-running transaction preemption in front of a user calling the claimFees function can distort the user's fee reward.
S - 18	EP - 12 EP - 13 EP - 14 EP - 15	AT - 1 AT - 7	There is a possibility of loss during the minting/redeeming process of HONEY tokens due to external oracle price manipulation and unreliable oracle logic.
S - 19	EP - 15	AT - 6	Due to the excessive de-pegging sensitivity standard of the HONEY token, an attacker can induce a slight de-pegging of the stablecoins that make up HONEY to activate Basket mode and cause user losses.
S - 20	EP - 14	AT - 6	If the valuation and user notification standards for redeeming de-pegged assets are not clear, the value of the tokens to be received when Basket mode is activated cannot be accurately assessed.
S - 21	EP - 1 EP - 16 EP - 17	AT - 1 AT - 2 AT - 5	If a single protocol monopolizes BGT, it can manipulate governance votes to enforce policies favorable to the protocol.
S - 22	EP - 1 EP - 16 EP - 17	AT - 1 AT - 2 AT - 5	There is a risk that malicious reward vaults or incentive tokens could be approved through governance, leading to asset theft by attackers or undermining system stability.
S - 23	EP - 1 EP - 16 EP - 17	AT - 1 AT - 2 AT - 5	If governance does not operate fairly due to conflicts of interest from the foundation or guardians rejecting unfavorable proposals, it can undermine the decentralization of the system.
S - 24	EP - 1 EP - 16 EP - 17	AT - 1 AT - 2 AT - 5	Due to the lack of on-chain logic for governance functions, it operates based on off-chain forum-based voting, which can lead to inefficiency and manipulation in the decision-making process.
S - 25	EP - 1 EP - 16 EP - 17	AT - 1 AT - 2 AT - 5	If users are not given sufficient prior notice when system changes are made due to the passage of a governance proposal, the speed of user response within the notice period may be reduced, leading to unexpected losses or a decline in trust.