Mitigation Confirmed for Mitigation of M-14 Issue mitigated

[code423n4]

C4 issue

M-14: any duration can be passed by node operator

Comments

Anyone can call createMinipool() with nodeID, duration, delegationFee parameters. The original implementation did not have sanity checks for duration, delegationFee parameters and this could lead to various issues.

• H-06 MinipoolManager: node operator can avoid being slashed showed an attack path that the node operator can avoid being slashed by providing bad input parameters that will cause revert on slash.
• This QA report showed that recordStakingEnd() can revert due to overflow.

Mitigation

PR #38 Double checked the Avalanche documentation about the requirements for duration, delegationFee. The mitigation added new sanity checks as below.

Tests

There were several unreasonable test cases in the original code base (e.g. 0 duration) and these are fixed now. All passing.

Note

There is another issue found in the mitigation for H-04 and it is slightly related to this one.

Conclusion

LGTM

[c4-judge]

GalloDaSballo marked the issue as satisfactory