search

movementlabsxyz / movement

The Movement Network is a Move-based L2 on Ethereum.
Apache License 2.0
79 stars 64 forks source link

MST-4 setGenesisCeremony Issue #452

Open SA124 opened 2 months ago

SA124 commented 2 months ago

MST-4 setGenesisCeremony Issue Auditor: Movebit Code: MCR Settlement Contract Severity: Discussion Status: Pending

Code Location: protocol-units/settlement/mcr/contracts/src/staking/MovementStaking.sol#9

Descriptions: Since the refundAmount paid by setGenesisCeremony to attesters is derived from the MovementStaking contract, it is possible for users to register new domains in order to withdraw tokens.

Suggestion: It is recommended to ensure that this is as designed.

chrisyy2003 commented 3 weeks ago

So far setGenesisCeremony is still a public function, how's the fix now?

l-monninger commented 3 weeks ago

I think this got lost in shuffle of transitioning from our private mirror to the public repo. But, msg.sender restricts the effects of this method to the domain. The usage of _payAttester was corrected correspondingly: https://github.com/movementlabsxyz/movement/pull/364

However, any further issues fall under...

This is considered an "accepted risk" for this potion of the audit as with any other issues tagged "decentralization."