search

code-423n4 / 2022-10-holograph-findings

1 stars 0 forks source link

MED: HolographOperator.sol 's resetOperator() function allows malicious or hacked admin to permanently freeze operator's bonded tokens. #478

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L278

Vulnerability details

Description

In HolographOperator, the following function is implemented:

function resetOperator(
  uint256 blockTime,
  uint256 baseBondAmount,
  uint256 podMultiplier,
  uint256 operatorThreshold,
  uint256 operatorThresholdStep,
  uint256 operatorThresholdDivisor
) external onlyAdmin {
  _blockTime = blockTime;
  _baseBondAmount = baseBondAmount;
  _podMultiplier = podMultiplier;
  _operatorThreshold = operatorThreshold;
  _operatorThresholdStep = operatorThresholdStep;
  _operatorThresholdDivisor = operatorThresholdDivisor;
  _operatorPods = [[address(0)]];
  _bondedOperators[address(0)] = 1;
}

This function represents a substantial centralization risk because admin can completely reset the bonds attached to the contract, thereby making all operators lose their staked amount.

Impact

Admin / hacked account can reset the HolographOperator contract, making operators lose their entire stake.

Tools Used

Manual audit

Recommended Mitigation Steps

Remove the function altogether.

Minh-Trng commented 1 year ago

this is known and will not be part of the production code as can be seen by the comment above the function

ACC01ADE commented 1 year ago

NOT PART OF FINAL CODE !!! on Line #276 makes it pretty clear that this is not part of the production code. It was left intentionally for our team to be able to make some upgrades possible during our development/testing.