The value of maxOperatorId is set by the operator. If set too low, the system may be blocked due to the fact that all node operators can be disabled and it will not be possible to add a new node operator
Proof of Concept
if (nextOperatorId > maxOperatorId) {
revert MaxOperatorLimitReached();
}
Tools Used
Manual audit
Recommended Mitigation Steps
Check not by maxOperatorId, but by the number of active operators
if (nextOperatorId > totalActiveValidatorCount)
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/PermissionedNodeRegistry.sol#L118
Vulnerability details
Impact
The value of maxOperatorId is set by the operator. If set too low, the system may be blocked due to the fact that all node operators can be disabled and it will not be possible to add a new node operator
Proof of Concept
if (nextOperatorId > maxOperatorId) { revert MaxOperatorLimitReached(); }
Tools Used
Manual audit
Recommended Mitigation Steps
Check not by maxOperatorId, but by the number of active operators if (nextOperatorId > totalActiveValidatorCount)
Assessed type
Invalid Validation