Lack of sufficient power check in `updateValset` of `Gravity`

[code423n4]

Handle

shw

Vulnerability details

Impact

The updateValset function does not check whether the new valset has sufficient power to pass a vote (see the constructor for more details). If the new valset does not, any function calling checkValidatorSignatures will be disabled (since the transaction reverts).

Proof of Concept

Referenced code: Gravity.sol#L224 Gravity.sol#L584-L590

Recommended Mitigation Steps

Add a check to ensure that the total power of the new valset is at least the power threshold.

[jkilpatr]

This is a good bug report highlighting a real oversight. We do check that all validator powers add up to the expected amount on the Gravity module side but there's no reason not to perform that same check on this side.

I would describe this bug as high risk but low probability since it would require this normalization code to fail as well.

Semi duplicate in #51 which also describes this issue. Duplicate of #37