In the penalty.sol contract anyone can call the markValidatorSettled(...) function to clear the penalty of an erring validator.
Proof of Concept
Anyone can clear the penalty of an erring validator without by calling markValidatorSettled(...) as the function does not implement a logic check that the validator has actually settled its debt.
Ideally the markValidatorSettled(...) function should check that the validator has settled its penalty before clearing, however due to
the missing check for the outstanding penalty balance and
the missing logic to exit validators who have exceeded their penalty threshold in the updateTotalPenaltyAmount(...) function.
Validators with outstanding penalty and also validators who have exceeded their penalty threshold who should have been kicked out but remain in the system can avoid getting kicked out by calling markValidatorSettled(...) to clear their penalty.
Tools Used
VS code
Recommended Mitigation Steps
Perform checks for
outstanding validator penalty before clearing the balance or reverting the call
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Penalty.sol#L144-L148
Vulnerability details
Impact
In the penalty.sol contract anyone can call the
markValidatorSettled(...)
function to clear the penalty of an erring validator.Proof of Concept
Anyone can clear the penalty of an erring validator without by calling
markValidatorSettled(...)
as the function does not implement a logic check that the validator has actually settled its debt.Ideally the
markValidatorSettled(...)
function should check that the validator has settled its penalty before clearing, however due toupdateTotalPenaltyAmount(...)
function.Validators with outstanding penalty and also validators who have exceeded their penalty threshold who should have been kicked out but remain in the system can avoid getting kicked out by calling
markValidatorSettled(...)
to clear their penalty.Tools Used
VS code
Recommended Mitigation Steps
Perform checks for
Assessed type
Access Control